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Software License Agreement 

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE 
DOWNLOADING THE SOFTWARE. BY CLICKING ON THE "ACCEPT" BUTTON BELOW, YOU 
INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND 
ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU 
DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE "DO NOT ACCEPT" 
BUTTON AND THE INSTALLATION PROCESS WILL NOT CONTINUE. 

1 . License Grant. This is a license, not a sales agreement, between you, the end user, and RedCreek 
Communications, Inc. ("RedCreek"). The term "Software" includes all RedCreek and third party software 
provided to you with the RedCreek product, and includes any accompanying documentation, any updates and 
enhancements of the Software provided to you by RedCreek, at its option. RedCreek grants to you a non- 
transferable (except as provided in Section 3 ("Transfer") below), non-exclusive license to use the Software in 
accordance with the terms set forth in this License Agreement. The Software is "in use" on a computer when it is 
loaded into temporary memory (i.e. RAM) or installed into the permanent memory (e.g. hard drive, CD-ROM or 
other storage device.) You may copy, install and use the Software on multiple computers within your business 
entity, in object code only, provided that you reproduce on each copy all of RedCreek's and its Licensors' 
proprietary notices contained on the original. 

Limitations on Use. You may not attempt, and if you are a corporation, you will use best efforts to prevent your 
employees and contractors from attempting to, (a) modify, translate, reverse engineer, decompile, disassemble, 
create derivative works based on, sublicense, or distribute the Software or the accompanying documentation; (b) 
rent or lease any rights in the Software or accompanying documentation in any form to any person; or (c) 
remove any proprietary notices, labels, or marks on the Software, documentation, and containers. 

Transfer. You may transfer (not rent or lease) the Software to a third party on a permanent basis, provided that: 

(i) the third party receives a copy of this Agreement and agree in writing to be bound by its terms and conditions, 

(ii) you erase or destroy all other copies of the Software, and (iii) you at all times comply with all applicable 
United States export control laws and regulations. 

4. Proprietary Rights. All rights, title, interest, and all copyrights to the Software, documentation, and any copy 
made by you remain with RedCreek. You acknowledge that no title to the intellectual property in the Software is 
transferred to you and you will not acquire any rights to the Software except for the license as expressly set forth 
herein. 

5. Term and Termination. The term of the license is for the duration of RedCreek's copyright in the Software. 
This Agreement may be terminated immediately without notice by RedCreek if you breach or fail to comply with 
any of the terms and conditions of this Agreement. You agree that, upon such termination, you will either destroy 
(or permanently erase) all copies of the Software. Upon RedCreek's request, you will certify to RedCreek that all 
complete and partial copies of the Software have been destroyed. The provisions of this Agreement, other than 
the license granted in Section 1 ("License Grant") shall survive termination. 

6. Limited Warranty. RedCreek warrants that for a period of three (3) months from the date of shipment from 
RedCreek: (i) the media on which the Software is furnished will be free of defects in materials and workmanship 
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under normal use; and (ii) the Software substantially conforms to its published specifications. This limited 
warranty extends only to the original licensee. EXCEPT FOR THE FOREGOING LIMITED WARRANTY, 
REDCREEK DISCLAIMS ALL WARRANTIES, EITHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING 
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. REDCREEK DOES NOT 
WARRANT THAT THE OPERATION OF THE SOFTWARE SHALL BE UNINTERRUPTED OR ERROR- 
FREE OR THAT THE SOFTWARE WILL MEET YOUR NEEDS AND EXPECTATIONS. SOME STATUS DO 
NOT ALLOW A DISCLAIMER OF IMPLIED WARRANTIES OR THE LIMITATION ON HOW LONG AN 
IMPLIED WARRANTY LASTS, SO SUCH LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. 
THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS AND YOU MAY ALSO HAVE OTHER 
RIGHTS WHICH VARY FROM STATE TO STATE. 

If, within the Limited Warranty Period, you report to RedCreek a failure of the Software to conform to the 
Limited Warranty, and return to RedCreek the Software and all related materials with transportation and insurance 
pre-paid, REDCREEK' S LIABILITY AND YOUR SOLE AND EXCLUSIVE REMEDY FOR BREACH OF 
WARRANTY OR ANY OTHER LEGAL OBLIGATION RELATING TO THE SOFTWARE OR RELATED 
MATERIALS (WHETHER UNDER CONTRACT, TORT, OR OTHER LEGAL THEORY) SHALL BE, AT 
REDCREEK' S OPTION, (A) TO PROVIDE YOU WITH A WORKAROUND FOR SUCH ERROR, (B) 
REPLACE THE SOFTWARE, OR (C) REPAY THE LICENSE FEE, IF ANY, PAID BY YOU. The warranty set 
forth above will not apply to any failure or deficiency which has been caused by misuse, neglect, alteration, 
improper installation, unauthorized repair or modification. If any Software returned by you to RedCreek for 
replacement is found by RedCreek, after examination and testing, not to be defective, RedCreek shall so advise 
you and shall dispose of any such disk in accordance with your instructions and at your cost, and you shall 
reimburse RedCreek for examination and testing expenses incurred at RedCreek's then current rate. 

7. Limitation of Liability. IN NO EVENT SHALL REDCREEK OR ITS LICENSORS BE LIABLE UNDER ANY 
THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR 
SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT 
LIMITATION LOSS OF USE, PROFITS, GOODWILL OR SAVINGS, OR LOSS OF DATA, DATA FILES, OR 
PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE SOFTWARE. IN NO EVENT WILL 
REDCREEK'S OR ITS LICENSORS' AGGREGATE LIABILITY FOR ANY CLAIM BY YOU, OR ANYONE 
CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO 
REDCREEK FOR THE SOFTWARE. Some jurisdictions do not allow the exclusion or limitation of incidental, 
consequential or special damages, so the above exclusions and limitations may not apply to you. 

8. Export Law Assurances. You understand that the Software is subject to export control laws and regulations. 
YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE SOFTWARE OR ANY 
UNDERLYING INFORMATION OR TECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITED 
STATES AND OTHER APPLICABLE LAWS AND REGULATIONS. 

9. U.S. Government Restricted Rights. If this Software is being acquired by the U.S. Government, the Software and 
related documentation is commercial computer software and documentation developed exclusively at private 
expense, and (a) if acquired by or on behalf of a civilian agency, shall be subject to the terms of this computer 
software license as specified in 48 C.F.R. 12.212 of the Federal Acquisition Regulations and its successors; and (b) 
if acquired by or on behalf of units of the Department of Defense ("DoD") shall be subject to the terms of this 
commercial computer software license as specified in 48 C.F.R. 227.7202-2, DoD FAR Supplement and its 
successors. 

10. Tax Liability . You agree to be responsible for the payment of any sales or use taxes imposed at any time 
whatsoever on this transaction. 

1 1 . General . If any provisions of this Agreement are held invalid, the remainder shall continue in full force and 
effect. This License Agreement shall be governed by the laws of the State of California, excluding the application 
of its conflicts of law rules. This Agreement will not be governed by the United Nations Convention on the 
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Contracts for the International Sale of Goods. This Agreement is the entire agreement between the parties as to 
the subject matter hereof and supersedes any other communications, advertisements, or understandings with 
respect to the Software and documentation. This Agreement may not be modified or altered, except by written 
amendment which expressly refers to this Agreement and which is duly executed by both parties. 

You acknowledge that you have read this Agreement, understand it, and agree to be bound by its terms and 
conditions. 
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PREFACE 



This guide provides instructions for the RedCreek Ravlin Node Manager, a utility 
application that manages and configures RedCreek Ravlin hardware devices. 

The guide is intended for network systems administrators, and assumes a working 
knowledge of networking and data communications concepts. Because the Ravlin Node 
Manager runs on Windows 95, Windows 98 and Windows NT, the reader must be familiar 
with those operating systems. 



Publication Conventions 

The Windows environment usually provides several ways to accomplish the same task. 
For example, you might be able to perform a task by executing a command on a pull-down 
menu (or a pop-up menu), by double -clicking an object, or by pressing a shortcut key. 
Even so, this guide only describes one or two common ways to accomplish a task, and 
assumes that experienced Windows users have their own preferences. 

The terms "unit" and "Ravlin unit" refer to any Ravlin hardware device such as a Personal 
Ravlin II or a Ravlin 7150. 

When referred to in text, the labels on pushbuttons are printed in bold, as with Start or 
Next. Menu commands and submenu names are also bold, and separated by piping 
symbols, as with: Select Item I Add. 

This guide uses various marginal notes throughout to highlight special information. 
These marginal notes take the following forms: 

Note! This advises you of additional information you need to know. 

Caution! This advises you of a situation that could result in loss of data or failure to 
properly encrypt or decrypt data. 

Tip! This indicates a technique or trick that makes your work a little easier. 



Customer Service and Support 

The World Wide Web is fast becoming the essential technical support resource for 
companies throughout the world. We strongly encourage you to make use of RedCreek's 
Internet World Wide Web support site at http://www.redcreek.com/support/ . Product 
updates, new release notes, customer service bulletins, and additional documentation 
become available on an ongoing basis. 

Customer service and support contracts may be available through your distributor, 
reseller, or through RedCreek Communications, Inc. Distributor and reseller service 
offerings may vary. 
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INTRODUCING THE RAVLIN NODE MANAGER 



The RedCreek Ravlin Node Manager (RNM) is a Windows ©-based management and 
control tool for integrating Ravlin hardware units into your organization's network and 
security infrastructure. The main security services Ravlin units perform are encryption 
and authentication. 

• Encryption is the transformation of a data stream into a form unreadable by any 
but intended parties. Ravlin Node Manager can configure Ravlin units to perform 
at any of several encryption levels, depending on the security needs of your 
organization. 

• Authentication is the process of identifying other parties, and confirming that 
exchanged information has not been altered in transit. Ravlin Node Manager can 
configure Ravlin units to perform authentication alone, or to perform a 
combination of encryption and authentication. 

Together, encryption and authentication protect data passing over public or private 
communication lines. 

RNM also configures Ravlin units to exchange encrypted information with remote 
independent clients running Ravlin Soft. Ravlin Soft is a software application that 
emulates Ravlin units. 

RNM is based on the SNMP standards specified by the Internet Engineering Task Force 
(IETF), so it is possible to access and manage Ravlin units with other systems that use 
standard SNMP protocol. 

Ravlin Units 

Ravlin units are hardware devices that physically connect to other devices in your 
network environment. A Ravlin unit is shown in the following illustration. 
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Each Ravlin unit has two interfaces . In most cases, one interface (sometimes called the 
local interface) exchanges IP packets from the network or subnet protected by the Ravlin 
unit. The other interface (sometimes called the remote interface) exchanges IP packets 
with an external source, typically subnets located out in the Internet. 
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Local 
Interface 
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Remote V ) Remote 
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Because each interface has its own IP address, subnet mask, and MAC address, other 
network devices can identify and reference each interface independently. 



Routing Capability 

Ravlin units use entries in a routing table to determine which router first receives the 
outgoing packets. Using the Ravlin Node Manager, the network administrator must 
specify at least one such entry before an S A can take place. A default route is an 
acceptable minimum entry. 
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Ravlin Soft Clients 

RedCreek's Ravlin Soft client, a software equivalent of a Ravlin hardware device, provides 
data privacy between remote users and the corporate network. 



-4 RavlinSoft 



Settings J Certificates | Status] 

- Security Settings — 
l~~ finable Security 

|~~ Block Unsecured Traffic 

- General Settings — 

I - Show Status Dialog 



- Startup Settings 
I Start with Security Enabled 

Using the Ravlin Soft client, a mobile employee or telecommuter can establish secure 
communications with networks protected by Ravlin units or other IPsec security devices. 
Such remote users can access secure corporate resources, using either public networks or 
corporate dial-up lines. For more information about the Ravlin Soft client, refer to the 
Ravlin Soft User's Guide. 

Who Controls Ravlin Units and Ravlin Soft Clients 

Because Ravlin products provide network security, RedCreek recommends that the 
network administrator or security manager be responsible for receiving and distributing 
Ravlin hardware units and Ravlin Soft software. By being the reception point, the 
administrator or manager can log the Security IDs of incoming units, set passwords, and 
assign IP addresses. The units can then go to organization branch offices for connection 
at their assigned places in the network, and Ravlin Soft software packages can go to 
remote users for easy installation. 

In situations where centralized control is not possible, the network administrator or 
security manager of the corporate network must assign trusted parties at the remote sites 
to do initial installation of Ravlin units (assigning the unit's IP address and providing the 
Security ID to the network administrator). 



Security Profiles - 

Check the box of the profile that will be 
activated when security is enabled: 



Profile 



0 Default 
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INSTALLING THE RAVLIN NODE MANAGER 



This section describes the process of installing the Ravlin Node Manager, and includes 
the following topics: 

• Software and system requirements 

• Installing the Ravlin Node Manager 

• Uninstalling the Ravlin Node Manager 

Software and System Requirements 

Before you install Ravlin Node Manager, make sure your system meets the following 
minimum requirements: 

• Pentium® -based computer 

• 8 MB RAM 

• 10 MB of free hard disk space 

• Microsoft® Windows® 95, Windows 98, Windows Me, Windows NT® 4.0 
(Service Pack 3 or later), or Windows 2000 

Installing Ravlin Node Manager 

To install Ravlin Node Manager — 

1. Insert the Ravlin Node Manager CD in your computer's CD drive. The InstallShield 
window appears. 

2. If the installation does not start automatically, from the Windows desktop, click the 
Start button, and then click Run. When the Run dialog box appears, type 
x:\Software\Setup.exe (where x is the name of the CD drive) in the Open box and click 
OK. The InstallShield Wizard window appears. 

3. Click Next to begin the setup process. 

4. Follow the instructions in the InstallShield Wizard window until you arrive at the 
InstallShield Wizard Complete page. 

5. Click Finish to return to the Windows desktop. 

6. If instructed, restart your computer. 
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Uninstalling the Ravlin Node Manager 

To remove the Ravlin Node Manager from your system, follow these steps: 

1. From the desktop, select Start I Settings I Control Panel. 

2. Double -click the Add/Remove Programs icon. 

3. Click the Install/Uninstall tab. 

4. Select Ravlin Node Manager, then click Add/Remove . 
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USING THE RAVLIN NODE MANAGER 



This section describes how to use Ravlin Node Manager to manage the operation of your 
secure VPN. 

Identifying a Ravlin Unit or Ravlin Soft Client 

To configure a Ravlin unit using the Ravlin Node Manager, you need the following 
information: 

• name assigned to the unit (also becomes part of the unit's configuration file 
name) 

• password assigned to the unit 

• IP addresses assigned to the unit's Local interface and Remote interface 

The Ethernet media access control (MAC) address and security identification number are 
printed on a label attached to the bottom of each Ravlin, and can also be viewed from the 
front panel of some Ravlin units. The interface IP addresses are typically assigned to the 
unit and set by the network administrator or security manager before the unit is deployed 
in the network. 

Important: The password consists of up to 16 alphanumeric characters. The four-digit 
string "1234" is the factory default password for all Ravlin units. For 
security reasons, REDCREEK RECOMMENDS CHANGING THE 
PASSWORD TO A VALUE OTHER THAN THE DEFAULT ("1234"). 

Like Ravlin hardware units, each Ravlin Soft client has a Security ID. However, Ravlin Soft 
clients have a generic Security ID (currently 3003-000-00000) that applies to all Ravlin Soft 
clients. The Ravlin Node Manager uses the Security ID to identify the Ravlin Soft client to 
Ravlin units so they can accept a connection attempt from the Ravlin Soft client. Because 
generic Security IDs do not provide individual client identification, RedCreek also 
supports use of the RADIUS authentication protocol for individual verification and 
access restriction for Ravlin Soft users in the network. 

The Ravlin Node Manager User Interface 

The Ravlin Node Manager provides standard Windows features for access and control of 
the Ravlin units on your system. These features include an application window, a menu 
system, dialog boxes, and other familiar Windows objects. 
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Starting and Ending Ravlin Node Manager Sessions 

To start a session in the Ravlin Node Manager, select it from the Windows Start menu. (If 
the Ravlin Node Manager was installed with default menu settings, you can select Start I 
Programs I RedCreek Communications I Ravlin Node Manager.) 

The system displays the Ravlin Node Manager application window. 

To quit the Ravlin Node Manager, select File I Exit 

The Ravlin Node Manager Application Window 

The Ravlin Node Manager application window is the medium through which you 
configure and manage Ravlin units. The set of configuration values for a single Ravlin 
device is known as a unit profile. When no unit profile is open (as when a new Ravlin 
Node Manager session begins) the application window consists of a title bar, a menu bar, 



a quick-access tool bar, and a status bar. 




Title Bar ^^^^^M I 1 1 1 
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The title bar identifies the Ravlin Node Manager application window and, if a unit profile 
is open, displays the name of the profile. The menu bar provides access to the Ravlin 
Node Manager's menu commands, and the tool bar allows quick execution of important, 
frequently-used menu commands. The status bar is context-sensitive display that 
provides information about the current state of the Ravlin Node Manager session. 

When you open a unit profile, it appears in a unit window. A unit window displays 
configuration information for a single Ravlin unit. 
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A unit window consists of two sections, the Item pane and the Contents pane. The item 
pane displays components, which contain configuration settings. When you click a 
particular item in the Item pane, the information attached to that choice appears in the 
Contents pane on the right. 

Tip: You can move between the Item pane and the Contents pane easily by 
pressing <Tab>. 

Note: In order to reduce unnecessary SNMP network traffic, RNM does not 

automatically refresh Contents pane information. The unit window may 
not immediately display the most recent changes. To refresh the screen to 
reflect current values, press <F5> or select View / Refresh. 



Menus, Shortcut Keys, and Speedbar Buttons 

You can initiate commands from a menu by clicking buttons in the toolbar, or by using 
keyboard shortcuts. Right-clicking an entry the Item pane or the Contents pane displays a 
pop-up menu of commands that apply to the selected entry. 



MN-00038 C 



11 



"St, Ravlin Node Manager - [NyOffice.rav] 



"SJ_ File Edit View J_ools Window Help 



MB 



D \3 



f 



I Interfaces 

m-m MIB II 
El-Q Network 
EE Q Policy Database 
E-Q Reporting 
El- Q Settings 
S-Q Status 

H] SA Statistics 

^3 System 

Ready 



Name 



Data 



Fim ^ Activate.. 

Firrr 

Har Insert... 

Sec X Delete... 
Ho: Z 



\f\ Refresh 



Select All 



EH 

3.50.1 RAD] 
Ravlin 10 R 
09 

1003-1 03-; 
Not Availat 



OOUb I otal, 0001 Selected 



The menu remains displayed until you choose a command, press <Esc>, or click outside 
the menu. 

You perform or initiate configuration tasks by choosing commands from the menu bar or 
the quick-access toolbar. The following table summarizes the menu commands, toolbar 
buttons, and shortcut keys. 



Command Menu Shortcut Toolbar 

Keys Button 



Operation 



New 



File 



Ctrl + N 



D 



Allows you to create a new configuration I 



Open 



File 



Ctrl + 0 



Opens an existing Ravlin configuration file 



Exit 



File 



Alt + F4 



Closes the configuration files and exits the 
application 



Refresh 



View 



F5 



Makes the display reflect the current settings for 
the selected unit 



Activate 



Enter 



Starts modification operation in the contents list 



Rename 



Edit Ctrl-R 



aje 



Renames a policy data entry in the Policy 
Database component 



Insert 



Edit 



Ins 



fa 



Adds item-specific data. For example, if an ESP 
tunnel is currently selected, pressing this button 
displays the Add Tunnel dialog box. 
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Command Menu Shortcut Toolbar 

Keys Button 



Operation 



Delete 



Edit 



Del 



Deletes the selected item from the list (if the item 
can be deleted) 



Displays properties of the selected Ravlin unit 



Properties 



File 



Toolbar 



View 



Displays or hides the Toolbar 



Status Bar View Displays or hides the Status Bar 



RedCreek on the Web 


Help 




Provides access to RedCreek Web sites. 


About Ravlin Node 


Help 
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Displays Software Revision Information 


Manager 
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SETTING UP A SECURITY ASSOCIATION 



Ravlin units perform secure data exchange via relationships called security associations 
(SAs). Although each network system is unique, most systems tend to require the same 
basic, mandatory steps for setting up SAs. This section introduces the Ravlin Node 
Manager components needed to perform these basic steps. 



Quick Start 

For most systems, RedCreek recommends the following setup sequence. 



Preliminary Task Overview 

The preliminary part of the setup process consists of four basic steps: 

1 . Install the Ravlin Node Manager on a host in your network. 

For installation instructions, refer to " Installing The Ravlin Node Manager," page 7. 

2. Install Ravlin units on your network system. 

Install the Ravlin unit in your network. Install any other security devices (such as 
other Ravlin units) on the LANs you want to protect. In most cases, you connect a 
security device between the protected LAN and its router. For information on 
installing Ravlin units and performing initial unit configuration, refer to the 
appropriate Ravlin hardware user's guide. 

3. If any remote clients need to access the protected network, install the Ravlin Soft 
software on them. 

For information on installing Ravlin Soft, refer to the Ravlin Soft User's Guide. 

4. If you have pre-existing Ravlin units that use firmware versions previous to 3.40, 
convert to the new boot-ROM and firmware. 

After you are finished performing these tasks, continue with the tasks outlined below. 



Basic Setup Procedure Overview 

Perform the remaining setup using the Ravlin Node Manager. The basic setup procedure 
consists of four steps: 
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1. Initiate the configuration file. 



Start a session in the Ravlin Node Manager and initiate a new configuration file. Input 
the settings that identify the Ravlin unit. Using the Interfaces component, be sure 
that the IP address, MAC address, and subnet mask are set correctly for each 
interface. 

2. Set up the routing table. 

Set up the routing table so the Ravlin unit knows where to send IP packets. Because a 
Ravlin unit can direct packets to many different locations, it might be necessary to 
create multiple routing entries. A common technique is to set up a general, default 
route to the nearest IP router. 

3. Set up one or more policy data entries. 

A policy data entry contains a set of specifications that define the properties and 
behavior of a security association (SA). The Ravlin unit defines each SA according to 
one of these entries. Because a Ravlin unit can have multiple SAs, each with different 
characteristics, it might be necessary to create multiple policy data entries. 

A. Create at least one entry in the Key Management table. 

Each Key Management entry is a profile that describes the kind of key to use 
when establishing an SA, the type of hashing to use, and the kind of encryption 
to perform during the key exchange. Select the key management types to be 
supported in any subsequent policy data entries (step C below). 

B. Create at least one entry in the Protocol table. 

Each Protocol Table entry is a profile that determines which IPsec protocol to 
use. These protocols include Authentication Header (AH) and Encapsulating 
Security Payload (ESP. Select the protocol types to be supported in any 
subsequent policy data entries (step C below). 

C. Create at least one policy data entry in the Policy table. 

Create a policy data entry, selecting from the group of preconfigured items (made 
in Steps A and B above). A policy data entry is a specification the Ravlin unit 
uses to build an SA. Because the unit can establish and run multiple SAs 
simultaneously, you might need to create more than one such entry. 

4 . Set the Ravlin unit to VPN mode. 

To enable Ravlin security, you need to set the operating mode of the unit to VPN 
(Apply Policy to All Traffic). Otherwise, no encryption or decryption takes place. 



16 



MN-00038 C 



5. Create a compatible policy data entry and configuration on the peer Ravlin unit. 

Before your Ravlin can establish an SA with a peer Ravlin unit, a compatible policy 
data entry and configuration must be set up on the peer unit. Otherwise, no SA can 
occur between the two devices. 

Initiating a Configuration File 

The first step in setting up an S A for your VPN is to create a configuration file for the 
Ravlin unit. This file contains the configuration settings the Ravlin Node Manager needs 
to access the unit. Before you can perform this task, you need the following information: 

• The IP addresses of the Ravlin unit (if previously installed) 

If you are configuring a previously -installed Ravlin unit, you need to know the 
unit's current IP addresses before following the instructions below. If the unit 
has a front panel, you can retrieve the IP addresses by pressing the IP button 
(button 1) on the unit's front console. Otherwise, get the IP addresses from the 
system administrator. You can always use the unit's default Local and Remote IP 
addresses (192.168.254.253 and 192.168.254.254 respectively). 

• The password for the Ravlin unit 

If the Ravlin unit still uses the default password, the value is "1234." Otherwise, 
you must obtain the password from the system administrator. 

After obtaining this information, perform the following steps: 

1. Start a Ravlin Node Manager session and start a new configuration file by selecting 
File I New. 

The Specify Ravlin Name dialog box appears. 

2. Enter a name for the new configuration file, then click Save . 
This is essentially a Save dialog box, though its title is different. 
The Properties window appears. 
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Properties 



General j Connection 
LA Office 



Password: 




Location: C:\Prograrn Files\RedCreek Ct 

3. Enter the password (without quotation marks), then open the Connection page by 
selecting the Connection tab. 

Note: Entering the password here is optional. If you don't enter it here, the 

Ravlin Node Manager prompts you for it later when you try to change the 
Ravlin unit's configuration settings. 

The Connection page displays the default IP address. 
-Addressing- 
IP Address: 




The address shown in the IP Address field is the default address for the Local 
interface. However, if the Ravlin unit was already configured with a different Local IP 
address, the default address does not apply (see next step). 

4. If the Ravlin unit has a previously -entered Local IP address (and you know this 
address), enter that address in the IP Address field. Otherwise, leave the default IP 
addresses alone. 

You cannot change the unit's IP address from the Properties window. 

5. If the Ravlin unit has a previously -entered Local IP address (and you know this 
address), enter that address in the IP Address field. Otherwise, leave the default IP 
addresses alone. 



You cannot change the unit's IP address from the Properties window. 
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6. 



If: 



• the IP address of the host machine running the Ravlin Node Manager and the 
Ravlin unit's assigned IP address are each on different network segments 

and 

• the Ravlin unit and the host machine running the Ravlin Node Manager are on 
the same LAN (with no router between them) 

then you must enable the Treat non-local IP address as local check box. 

7. If the IP address of the host machine running the Ravlin Node Manager and the 
Ravlin unit's assigned IP address are each on different network segments, you must 
enable the check box labeled Treat non-local IP address as local. This lets the host 
machine and the Ravlin unit communicate. 

8. Click OK. 



The settings appear in the Contents pane of the unit window. 
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The Ravlin Node Manager can now communicate with the Ravlin unit. However, if 
you are configuring the unit for the first time, it probably has the default interface IP 
addresses. The default IP addresses can now be changed to working IP addresses for 
your network. If you wish to do so, go on to the next step. 

Note: Before the Ravlin unit can run in security mode, you must change the IP 
addresses from their defaults. 

9. To change the IP address and subnet mask values, select the Interfaces component 
and double -click Local (or Remote) entry in the Contents pane of the Unit window. 

The Modify IP Address and Subnet Mask dialog box appears. 

10. Modify the IP address and subnet mask values, then click OK 
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This completes the initialization process. Ravlin Node Manager can now communicate 
with the Ravlin unit. 

Note: Whether the Ravlin unit runs in bridge mode or router mode depends on 
the IP address and subnet mask values you specify for the Local and 
Remote interfaces. The Ravlin unit runs in bridge mode if the Local and 
Remote network addresses are the same; otherwise, the unit runs in 
router mode. 

For example, assume both interfaces have the same subnet masks. If the 
Local interface IP address is 172.16.26.4, and the Remote interface IP 
address is 172.16.26.10, the Ravlin unit runs in bridge mode. By contrast, 
if the Local interface IP address is 172.16.26.4, and the Remote interface IP 
address is 10.1.1.10, the Ravlin unit runs in router mode. 

Setting Up the Routing Table 

The second basic step in setting up an SA for your VPN is to create one or more entries in 
the Ravlin unit's routing table. The unit uses this routing table to decide where to send IP 
packets destined for other network devices. For example, when the Ravlin unit receives an 
IP packet from a local subnet and then encrypts it, the unit consults the routing table to 
decide which interface to use for sending the encrypted packet. 

The example that follows shows how to create a single entry in a routing table. However, a 
routing table can contain multiple entries. If this is the case, the Ravlin unit must select the 
best routing entry before it transmits an IP packet. To do this, it selects the routing entry 
that: 

• matches the destination IP address of the packet 
and 

• is the most specific, and most narrowly matches the packet's destination IP 
address (network mask describes the narrowest range of network locations) 

For example, assume the destination address of an IP packet is 172.16.138.2, and two 
routing table entries exist, each with a network address of 172. 16. 138.0. If one entry has a 
network mask of 255.255.255.252 and the other has a network mask of 255.255.255.0, the 
Ravlin unit chooses the former entry because it specifies a narrower range than the latter. 

Important: It is essential to create a generic, default route in the routing table. The 
network address and subnet mask for this route should be set to 0.0.0.0. 
The example that follows creates this default route. 

To make the default entry in the routing table, perform the following steps. 

1. From the Network component right-click Routing Table, then select Insert from the 
pop-up menu. 
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The Route Information dialog box appears. 



1 Route Information 
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The entry fields displayed in this dialog box hold the following values: 



Value Purpose 

Network Address The IP address of the destination network where the Ravlin unit 
sends the IP packets. (When you create the default route, enter 
0.0.0.0 in this field.) 

Network Mask A masking value that determines what subnet of the destination 
network receives the IP packets from the Ravlin unit. (When 
you create the default route, enter 0.0.0.0 in this field.) 



Gateway Address The address of the first router to receive the IP packets and 
direct them to the destination network. 



Interface The interface (Local or Remote) from which the Ravlin unit 

sends the IP packets to the router specified in the Gateway 
Address field. The interface is usually Remote. 



The diagram below illustrates a simple scenario, which will apply to subsequent 
instructions. Assume that the Ravlin Node Manager, on PC C, mu st define an SA that 
allows PC A and PC B to exchange data securely. 
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Ravlin Unit A 




Local ! Remote Router B 

10.0,0,20 10.0.0,2 1 192.168.192.S 192.168.192.1 



To set up the default route requires the following values: 

• Network Address: 0.0.0.0 

The Network Address setting identifies the destination of the IP packets. The 
default route allows packets to go to any network, so the setting should be 
0.0.0.0. 



Network Mask: 



0.0.0.0 



The Network Mask setting identifies the portion of the destination network 
where the Ravlin unit sends IP packets. The default route allows packets to go to 
any subnet, so the setting should be 0.0.0.0. 



Gateway Address: 



192.168.138.1 



The Gateway Address setting identifies the router that directs the IP packets to 
the destination network. (This setting is sometimes referred to as a "next hop" 
address.) Router A is the first router on the Remote side of the Ravlin unit, so the 
Gateway Address value in the above example is 192.168.138.1. 



Interface: 



Remote 



The Interface setting specifies which of the Ravlin unit's interfaces sends out the 
IP packets. A Ravlin unit has a separate IP address for each interface. In this 
example, Ravlin unit A sends packets out through the Remote interface, so the 
setting is Remote. 

Save the routing entry by clicking OK 

The dialog box disappears, and a row appears in the Routing Table . 



22 



MN-00038 C 



1 Ravlin Node Manager - [NyOffice.iav] 






1- n 


M 


"SJ_ File Edit View Tools Window Help 






-is 


*i 


n ra! 1 r?i <Ss a 

1— 1 l» LrJ v 






f 




EE- 1 Client Options ^ 


Network 


Mask 


Next Hop 


Q Interfaces 


III 0 0 III 








0.0.0.0 


209.218.26.1 




i-CB MIB II 


I192.16S.0.0 






255.255.255.0 


172.133.0.0 




fi-Q Network H 

Packet Har 

Routing Ta 
EE-_| Policy Databasi T 


J 


<l 1 if 
















Ready 










0002 Total, 0001 Selec 


ted 





A routing table can contain multiple entries. For example, you might need to add extra 
routes for networks that cannot be reached through the default route. 



3. If you have other routing entries to add, do so now. 

When the Ravlin unit decides where to send each IP packet, it chooses the routing 
entry that most narrowly matches the destination IP address of the packet. 

4. You must also set up a default route entry on Ravlin Unit B to provide a route to 
Ravlin Unit A. A typical configuration for the entry is as follows: 

• Network Address: 0.0.0.0 

• Network Mask: 0.0.0.0 

• Gateway Address: 192.168.192.1 
This setting identifies Router B. 

• Interface: Remote 



Preparing to Set Up Policy Data Entries 

A policy data entry is a description of a security association (SA) that defines the 
properties and behavior of the SA. The Ravlin unit uses this description to generate the 
SA. Each policy data entry contains the following information: 

• The kind of key management (manual or IS AKMP) 

A Ravlin unit can establish an SA using a manual key or ISAKMP. Because a 
manual key is a mutually agreed-upon value, it does not require exchange of 
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digital certificates or the generation of a session key as an IS AKMP-generated 
key does. 

• The kind of encryption (if any) the Ravlin unit performs on the IP traffic 
exchanged during the SA 

Ravlin units can perform 56-bit DES, and the three -key 168-bit Triple DES 
encryption. 

• The kind of hashing algorithm the Ravlin unit uses during authentication 

Ravlin units can use MD5 or SHA-1 hashing. MD5 is 128-bit hashing function 
designed for optimization with microprocessor-based systems such as Intel. 
SHA-1 is a 160-bit hash function, established by the National Institute for 
Standards Technology (NIST), with security mechanisms similar to MD5. 
Because SHA generates a 160-bit hash, it is considered safer from brute-force 
cryptographic attacks than MD5. 

• The operational mode used during the SA. 

Ravlin units can run in IPsec modes such as AH or ESP tunneling. 



Policy Data Entry Creation Overview 

The process of creating of a policy data entry consists of three basic steps: 

1 . Create at least one entry in the Key Management table. 

Each Key Management entry is a profile that describes the kind of key to use when 
establishing an SA, the type of hashing to use, and the kind of encryption to perform. 
An entry in the Key Management table has no direct effect when the Ravlin unit 
builds an S A. It only contains possible settings for a policy data entry. 

2. Create at least one entry in the Protocol table. 

Each Protocol Table entry is a profile that determines which IPsec protocol to use 
(AH or ESP). As with Key Management table entries, an entry in the Protocol Table 
has no direct effect when the Ravlin unit builds an SA. It only contains possible 
settings for a policy data entry. You create policy data entries later in the Policy Data 
Entries subcomponent (described below). 

3. Create a policy data entry in the Policy table. 

A policy data entry is a specification the Ravlin unit uses to build an S A. Because the 
unit can establish and run multiple SAs simultaneously, you might need to create 
more than one such entry. 
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Note: When you create a policy data entry, you invoke entries previously made 
in the Key Management table and the Protocol table. Consequently, you 
must create the necessary entries in those tables before you can create a 
policy data entry. 

Creating a Key Management Table Entry 

To create an entry in the Key Management table, perform the following steps: 

1. Open the Policy Database component by double -clicking it, open the Key 
Management subcomponent by double -clicking it, then select: 

• Manual (to specify a pre-arranged, manual key) 
or 

• IS AKMP (for generating a session key using ISAKMP and the Diffie-Hellman 
algorithm). 

If You Selected Manual: 

Perform the following steps: 

A. Highlight Manual, then double -click the corresponding row in the Contents pane 
(or, to start a new entry, right -click Manual, then select Insert). 

The Manual Key Information dialog box appears. 

B. Enter the following pre-arranged values: 
Under Encryption: 

• Inbound - The key used for decrypting IP packets received from the peer 
Ravlin unit. 

• Outbound - The key used for encrypting IP packets for transmission to the 
peer Ravlin unit 

Note: On the peer Ravlin unit, these values are reversed. 
Under Authentication Key: 

• Inbound - The hashing key used for authenticating IP packets received from 
the peer Ravlin unit. 

• Outbound - The hashing key used for authenticating IP packets sent to the 
peer Ravlin unit. 

Note: On the peer Ravlin unit, these values are reversed. 



MN-00038 C 



25 



Under SPI: 

The SPI (Security Parameter Index) is a 32-bit integer value that identifies the SA 
to which an IP packet belongs. This value resides in the ESP header of each 
packet sent and received by the Ravlin unit. 

• Inbound - The SPI that identifies the SA for IP packets received from the 
peer Ravlin unit. 

• Outbound - The SPI that identifies the SA for IP packets sent to the peer 
Ravlin unit. 

Note: On the peer Ravlin unit, these values are reversed. 

C. Click OK. 

The new entry appears in the Contents pane. From now on you can use this 
entry when you create a policy data entry in the Policy Database. 

If you selected ISAKMP: 

Perform the following steps: 

A. Right-click ISAKMP, then select Insert. 

The ISAKMP Key Management Entry dialog box appears. 

B. Click the Add button near the upper-right portion of the dialog box. 
The ISAKMP Proposal Table dialog box appears. 
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The Group 1 and Group 2 items refer to the Diffie-Hellman groups. Group 1 
specifies a 768-bit Diffie-Hellman value, while Group 2 specifies a 1024-bit Diffie- 
Hellman value. Group 2 is considered more secure than Group 1 . 



C. Highlight the ISAKMP proposal (or proposals) you want, then click OK 
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The ISAKMP Key Management Entry dialog box reappears, showing a new Key 
Management entry. From here on, you can use this entry when you create a 
policy data entry in the Policy Database. 

D. If you want this entry to use Perfect Forward Secrecy (PFS), enable the Enable 
Perfect Forward Secrecy checkbox. 

With PFS, the Ravlin unit does not derive any additional keys from the original 
key. In addition, if the Ravlin unit derived the key from any other keying material, 
the unit does not use that material to derive any more keys. This prevents 
intruders from using any information known about the derivation of one key to 
derive subsequent keys. 

Note: Both ends in an SA must have the same Perfect Forward Secrecy (PFS) 
settings. For example, because PFS is disabled by default with a Ravlin 
Soft client, the remote peer unit's policy data entry must also specify PFS 
disabled, or the SA will not be established. 

E. Click OK. 

2. If you want to base policy data entries on other Key Management profiles (Manual or 
ISAKMP), go back to Step 1 and create them now. 

You can now use these Key Management table entries to create protocol entries. 

Creating a Protocol Table Entry 

Entries in the Protocol table specify operational modes SAs can use. These operational 
modes include Authenticated Headers (AH) and Encapsulating Security Payload (ESP). 

• While running in the Authentication Header (AH) security mode, the Ravlin unit 
provides integrity and authentication without confidentiality. AH ensures proper 
authentication by inserting an authentication header in the packet between the IP 
header and the payload. Because neither the packet's payload nor its IP address 
is encrypted, AH mode is widely acceptable even where the export, import, or use 
of encryption is regulated or prohibited. 

While running in the AH Tunneling security mode, the Ravlin unit encapsulates 
the original IP packet and attaches an AH header and a new IP header. As with 
normal AH mode, no encryption takes place. 

• While running in the Encapsulating Security Payload (ESP) security mode, the 
Ravlin unit encrypts the entire IP packet, authenticates it, encapsulates it, and 
gives it a new IP header. When two Ravlin units establish a security association 
in ESP mode, the communication link between the units is referred to as an ESP 
tunnel. Because ESP tunnel mode encapsulates and encrypts the original IP 
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header along with the payload, intruders cannot capture routing information and 
use it to attack the system. 

While running in ESP Transport security mode, the Ravlin unit encrypts only 
the payload and ESP trailer. It does not encrypt the source IP address. Because 
of low overhead, ESP Transport mode usually gives high performance. 

To create a protocol entry, perform the following tasks: 

1. Right-click the IPsec subcomponent under the Protocols component, then select 
Insert. 



The IPsec Protocol Entry dialog box appears. 



IPSEC Protocol Entry 
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2. From the IPsec Protocol Type dropdown, select the security mode. 

3. Click the Add button near the upper-right portion of the dialog box. 

Depending on the protocol type you selected, either of the following dialog boxes 
appears: 

• The AH Proposal Table dialog box 

This dialog box presents Authentication Header (AH) proposals, each with a 
different set of hashing and encapsulation options. For example, Proposal 1 uses 
MD5 hashing and Tunnel mode. 
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The ESP Proposal Table dialog box 

This dialog box presents ESP Tunneling and ESP Transport proposals, each with 
a different set of encapsulation and authentication options. 
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After selecting a proposal, click OK 

The proposal appears in the IPsec Protocol Entry list. 

If necessary, create more IPsec protocol entries. 

(Recall that to switch between security modes, you must change the setting in the 
IPsec Protocol Type dialog box.) 



When you are finished creating IPsec protocol entries, click the OK button from the 
IPsec Protocol Entry dialog box. 
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You can now use these Protocol table entries to create policy data entries. 



Creating a Policy Data Entry 

A policy data entry is defines the properties and behavior of a possible SA. The Ravlin 
unit defines the SA according to these specifications. 

Important: Every SA generated by a Ravlin unit is based on a policy data entry. In 

turn, policy data entries use indexes created in the Key Management table 
and the Protocol table. Be sure to make the necessary entries in these 
tables before attempting to create a policy data entry as described below. 

Note: Do not attempt create a separate policy data entry for each network or 

subnet protected by the Ravlin unit. For example, if a Ravlin unit protects 
two different subnets, it is not necessary to create a separate policy data 
entry for each. Use a single policy data entry (and a single SA) to protect 
multiple protected networks. 

Before creating a policy data entry, you need the following information: 

• The Distinguished Name (DN) of the peer network security device to which the 
Ravlin unit will establish the SA. If the network security device is a Ravlin unit, 
the DN is equivalent to the unit's Security ID. 

If the Ravlin unit has a front-panel display, you can get the Security ID by 
pressing the SID button (button 3). Otherwise, the Security ID is printed on the 
label on the bottom of each unit. 

• The Remote interface IP address of the peer device (the device with which the 
Ravlin unit will establish the SA). 
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• The IP address and subnet mask of the protected networks (the networks and 
subnets protected by the Ravlin unit). 

You can create a new policy data entry in one of two ways: 

• Using the Add Policy Data Entry Wizard 

The Wizard simplifies the initial setup process by walking you through the 
sequence step by step. 

• Creating the policy data entry directly (without the Wizard) 

The Ravlin Node Manager allows initial policy data entry setup directly 
through the components listed in the Item pane of the Unit window. 

Note: For the sake of explanation, the instructions that follow assume that you 
will not use the Wizard. 

To create a new policy data entry directly through the components, perform the following 
tasks: 

1. Right-click the Policy Data Entries component, then select Insert. 
The Confirm Use Policy Entry Wizard dialog box appears. 

2. Click No. 

A new policy data entry appears under the Policy Data Entries component. 

Note: You can change the name of the policy data entry by highlighting it and 
clicking it, or by highlighting it and selecting Edit | Rename. 

3. Display the elements of the new policy data entry by double -clicking it. 
The elements appear just below the entry. 
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The elements of the policy data entry are as follows: 



Element 



Purpose 



Peer Info 



Key Management 



IPsec Settings 



Routing 



Network Tables 



Statistics Tables 



This element identifies and describes the network security 
device (peer) with which the Ravlin unit establishes the SA. 
In most cases, the peer device is another Ravlin unit. 

This element identifies the manual or ISAKMP key 
management proposal used to create SAs with this policy 
data entry. (To be available for this element, this proposal 
must exist in the Key Management table.) 

This element identifies the IPsec security mode proposal 
used to create SAs with this policy data entry. (To be 
available for this element, this proposal must exist in the 
Protocols table.) 

This element determines the next hop IP address (the address 
of the router where the Ravlin unit sends the packets. 

In most cases, the "Unspecified - Use Routing Table" default 
should be used, and you must configure your routing table 
accordingly. Entries are made here only if configuring a 
routing entry that applies only to SAs covered by the current 
policy data entry. Any entry here overrides entries made in 
the global routing table. 

This element specifies which networks and subnets the 
Ravlin unit protects and where the Ravlin unit sends 
information from the protected networks and subnets. 

This element displays statistical information generated during 
SA operation. 



The next step is to specify the peer network security device. 
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4. Select the Peer Info element to specify the peer unit with which to establish the SA. 

A. Double -click the Type value in the Contents pane, select the peer type from the 
dropdown list, then click OK 

• Select VPN Host if the peer device is a Ravlin Soft client (or some other 
IPsec client on the network). 

• Select VPN Gateway if the peer device is another Ravlin unit or some other 
IPsec gateway device on the network. 

• Select Non-VPN - Bypass if you want to pass incoming and outgoing IP 
packets in the clear, whether the session was initiated internally (by a host in 
the Ravlin's protected network) or externally (by a system in a network that 
is not defined in the Ravlin unit's Protected Networks table). 

• Select Non-VPN - Bypass Outbound Only if you only want to pass incoming 
and outgoing packets in the clear, when the session was initiated internally 
(that is, by a system on the Ravlin's protected network). 

B. Double -click the IP Address value in the Contents pane, enter the IP address of 
the peer network device, then click OK 

For example, if the peer network device is a Ravlin unit that will receive IP packets 
through its Remote interface, enter the IP address of that interface. 

C. Double -click the Distinguished Name (DN) value in the Contents pane. 
The Peer Distinguished Name dialog box appears. 

If the peer device is a Ravlin unit, specify the unit's RedCreek Security ID as the 
distinguished name. To do so, be sure the Use RedCreek Security ID checkbox is 
enabled, then enter the Security ID of unit. (The Security ID is printed on the bottom 
of the unit.) 

If the peer device is not a Ravlin unit, enable the Use Generic Distinguished Name 
checkbox and enter the distinguished name of the device. 

5. Select the Key Management element to specify which manual or ISAKMP Key 
Management proposal to use for the S A. 

A. Double -click the Type value in the Contents pane, then select Manual or 
ISAKMP from the dropdown list. 

The ISAKMP entries you created in the Key Management table appear. 
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Specify Key Management 



Key Management Type: 



E 



Retries 


I PFS 


Pfesteed Key 


Proposal IDs 
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Disabled 
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•1 37 


: 


Disabled 


N/A 


21 



OK 



Cancel 



B. Select the proposal you want, then click OK 
The settings appear in the Contents pane. 

6. Select the IPsec Settings element to specify which IPsec Protocol proposal to use for 
the SA. 

A. Double -click the Index value. 
The IPsec Protocol table appears. 

B. Select the Protocol proposal, then click OK 
Your choice appears in the Contents pane. 

7. Select the Routing element to specify which router the packets go for routing in the 
network. 

• If you want the Ravlin unit to direct outbound traffic using the routing table, 
leave the Next Hop setting at Unspecified - Use Routing Table. 

Important! This is the setting used in the great majority of cases. 

• If you want to bypass the routing table and explicitly specify the router, double- 
click the Next Hop setting, enter the IP address of the router, then click OK 

Caution! In most cases, you should not choose this option. Use this setting 
only when you need to specify a policy-specific route that overrides 
the global routes listed in the unit's routing table. 

Your entry appears in the Contents pane. 

8. Select the Network Tables element to specify which networks and subnets the Ravlin 
unit will protect. (You might need to open the Network Tables element by double - 
clicking it.) 
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A. To specify the protected networks or subnets on the Local side of the Ravlin 
unit, right-click the Local Network item. To specify the networks or subnets 
protected by the peer unit, right-click the Peer Network item. 

A pop-up menu appears. 

Note: You must specify protected networks for both the Ravlin unit and the 
peer Ravlin unit. Leaving these settings blank might prevent 
completion of the policy data entry. 

B. From the pop-up menu, select Insert. 

The Add Local (or Remote) Network Entry dialog box appears. 

C. Enter the network address and subnet mask of the network (or subnet) you want 
to protect, then click OK 



Setting the Operational Mode of a Ravlin Unit 

A Ravlin unit can run in three basic operational modes: 

• Pass All Traffic 

In this mode, the Ravlin unit performs no security operations on the data it 
receives, and passes all of it to other network devices. 

• Block All Traffic 

In this mode, the Ravlin unit prevents the flow of data entirely, effectively 
shutting down communication. 

• Apply Policy to All Traffic 

In this mode, the Ravlin unit performs all security operations in keeping with 
policy data entries, which contain SA settings and configurations. Before the 
unit can exchange secured (that is, authenticated or encrypted) information, you 
must set the operational mode to this value. 

To set the Ravlin unit's operational mode, perform the following steps: 

1. Select the Settings component (you might have to double -click the component to 
open it), then select the Control Settings element. 

2. Double -click the Operational Mode value. 

The Modify Operational Mode dialog box appears. 

3. Set the dropdown list to Pass All Traffic, Block All Traffic, or VPN. 
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Note: If you attempt to set the operational mode to VPN (Apply Policy to All 
Traffic), an error message appears if either of two conditions apply: 

• The Remote and Local interface IP addresses are still set to their default values. If 
this is the case, open the Interfaces component and change the IP addresses. 

• There is no entry in the Routing Table. If this is the case, open the Network I 
Routing Table component and create an entry. 

4. Click OK. 



Creating a Peer Unit Policy Data Entry and Configuration 

Before a Ravlin unit can use a policy data entry to establish an SA with another Ravlin 
unit, the other unit must have a compatible policy data entry, and both units must be 
similarly configured. Examples are Unit A and Unit B in the diagram below. 



Unit A 

Policy Entry J 



UnitB 




Assume that the network administrator has already created a policy data entry on Unit A, 
as described above in "Creating a Policy Entry." 



Ravlin Node Manager 
Component 



Specification 



Network Component 



There must be at least one Routing Table entry in Unit B 
that directs IP traffic to the appropriate router. That router 
must have an entry in its own routing table that can direct 
traffic to Unit A. 



Policy Database Component 



There must be at least one policy data entry in Unit B that 
matches the policy data entry in Unit A. Unit B's policy 
data entry must have the following characteristics: 

• Peer Info 

The Type setting must match Unit A. For example, if 
Unit A is a Ravlin unit of any kind, the setting must 
be Gateway. The IP Address setting must be the IP 
address of the Remote interface on Unit A that 
exchanges traffic with Unit B. The Distinguished 
Name should be set to the Unit A's SID. 
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Ravlin Node Manager 
Component 



Specification 



• Key Management 

If the key management type is Manual, the entry must 
have Inbound values that equal the Outbound values 
in the Unit A (and vice versa). If the key management 
type is ISAKMP, the entry must have Proposal ID 
values that match those of the entry in the Unit A. 

• IPsec Settings 

The IPsec entry in Unit B must have Proposal ID 
values that match those of the IPsec entry in Unit A. 

• Routing 

Using this option overrides the routing tables and 
directly specifies a route. In most cases, you will not 
need to choose this option. A possible case for using 
this option might be to override the routing table and 
specify a particular next -hop router. 

If you do use this option, specify a route to Unit A. 

• Network Tables 

This element specifies which networks and subnets 
the Ravlin unit protects and where the Ravlin unit 
sends information from the protected networks and 
subnets. Create at least one entry in the Local 
Networks table that specifies a subnet to protect with 
Unit B. Create at least one entry in the Peer 
Networks table that specifies a host or subnet to 
which Unit B can send traffic. 



Settings Component The Operational Mode value for Unit B must be set to 

VPN (the Apply Policy to All Traffic setting). 
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CREA TING A RA VLIN SOFT CLIENT PDE 



Before a Ravlin Soft client and a Ravlin unit can establish an SA between them, the Ravlin 
unit must have a policy data entry for the client. This policy data entry specifies that the 
peer unit is a client machine, and not another Ravlin unit. The following example shows 
how to create such a policy data entry. 

Note: You cannot set up a security association between a Ravlin Soft client and 
a Personal Ravlin or a Personal Ravlin II. 



Setting Up the Key Management Table Entry 

To create an entry in the Key Management table, perform the following steps: 

1. Open the Policy Database component by double -clicking it, open the Key 
Management subcomponent by double -clicking it. 

Perform the following steps: 

2. Right-click ISAKMP, then select Insert. 

The ISAKMP Key Management Entry dialog box appears. 



ISAKMP Key Management Entry 



Retries: 



Pre shaed Key 



P Enable Perf ect Forward Secrecy 



Selected Proposals: 


J3| X 


* * 


ID ! Encryption 


Hash / Auth Mode 


Dr 




Click here to add b 
another proposal. 1 





□K 



Cancel 



3. Click the Add button near the upper-right portion of the dialog box. 
The ISAKMP Proposal Table dialog box appears. 
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4. Highlight an ISAKMP proposal that matches the following characteristics: 



Note: Proposals 6, 13, and 15 each have the proper combination of default 
settings for a Ravlin Soft client. 

Caution! The proposals offered in this proposal list, and the index numbers that 
identify them, might be different in your release of the Ravlin firmware. 

After you click OK, the ISAKMP Key Management Entry dialog box reappears, 
showing a new Key Management entry. You invoke this entry when you create a 
policy data entry in the Policy Database. 

5. Click OK. 

The new entry appears in the Contents pane. 
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Setting Up a Protocol Table Entry 



The following example assumes that an ESP tunnel will exis t between a Ravlin Soft client 
and a Ravlin unit . 

To create a protocol entry, perform the following steps: 

1. Right-click the IPsec subcomponent under the Protocols component, then select 
Insert. 



The IPsec Protocol Entry dialog box appears. 
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Selected Proposals: rHH 


X 




1 ID 


Cipher Algorithm 


Encapsulation / 


Authentication | 



Click here to add 
a proposal. 



IPSEC Protocol Type: | Encapsulating Security Payload 



~3 



OK 



Cancel 



2. From the IPsec Protocol Type dropdown, select the Encapsulating Security Payload 
(ESP) mode. 

Important: The IPsec protocol must match the protocol the client will use. This is 
configured through the Ravlin Soft client program. 

3. Click the Add button near the upper-right portion of the dialog box. 

The ESP Proposal Table dialog box appears. This dialog box presents ESP Tunneling 
and ESP Transport proposals, each with a different set of encapsulation and 
authentication options. 
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Select the proposals you want to support in all client-to-Ravlin SAs. 
(You can put as many as eight proposals in one entry.) 
Click OK. 

The proposals appear in the IPsec Protocol Entry list. 

Click the OKbutton from the IPsec Protocol Entry dialog box. 

The new entry appears in the Contents pane. 
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Creating a Policy Data Entry 

Note: For the sake of explanation, the instructions that follow assume that you 
will not use the Wizard. The Wizard simplifies basic configuration, and 
automates the procedure described in this section. 

To create a new policy data entry, perform the following tasks: 

1. Right-click the Policy Data Entries component, then select Insert. 
The Confirm Use Policy Entry Wizard dialog box appears. 

2. For the purposes of this description, click No. 

3. Double -click the Policy Data Entries component. 

A new policy data entry appears under the Policy Data Entries component. 

4. Display the elements of the new policy data entry by double -clicking it. 



The elements appear just below the entry. 
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Note: The settings shown above are defaults. 

The next step is to specify the peer network security device. 

5. Select the Peer Info element. 

6. Double -click the Type value in the Contents pane, select VPN Host from the 
dropdown list, then click OK 

Note: This step is crucial. Setting the Type value to VPN Host specifies that the 
peer device is a Ravlin Soft client, rather than a Ravlin unit. 

7. Leave the IP Address value as is. 
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Because the peer entity is a Ravlin Soft client instead of a directly addressable Ravlin 
unit, the setting should be 0.0.0.0 as shown in the Contents pane above. (Instead of 
using an IP address, the Ravlin unit uses the Distinguished Name setting to identify 
the Ravlin Soft client.) 

8. Double -click the Distinguished Name value in the Contents pane. 
The Peer Distinguished Name dialog box appears. 

9. Be sure the Use RedCreek Security ID checkbox is enabled, then enter the generic 
Ravlin Soft Security ID (3003-000-00000) in the entry field. 

10. Select the Key Management element. 

11. Double -click the Type value in the Contents pane, then select ISAKMP from the 
dropdown list. 

The ISAKMP entries you created in the Key Management table appear. 

12. Select the proposal you created for the Ravlin Soft client, then click OK 
The settings appear in the Contents pane. 

13. Select the IPsec Settings element. 

A. Double -click the Index value. 
The IPsec Protocol table appears. 

B. Select the index that contains the Protocol proposal you created for the Ravlin 
Soft client, then click OK 

Your choice appears in the Contents pane. 

14. In the Network Tables element, enter the IP address of the protected network (that is, 
the network or subnet the Ravlin unit is protecting). 

The policy data entry is now complete. For information on setting up the Ravlin Soft client 
to establish an SA with the Ravlin unit according to this policy data entry, refer to the 
Ravlin Soft User's Guide. 
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RAVLIN NODE MANAGER COMPONENTS 



Network administrators use the Ravlin Node Manager to create, access, and modify 
configuration values. While displaying configuration values, the Ravlin Node Manager 
organizes them in groups called components. Each time you create or open a Ravlin unit's 
configuration file, the Ravlin Node Manager displays its components in the Item pane of 
the currently active unit window. 
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The following is a brief overview of the components and the settings they contain. 



The Client Options Component 



The Client Options component contains settings that control how Ravlin Soft clients 
access the Ravlin unit through RADIUS authentication servers. 
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The Client Options component consists of three subcomponents. 



• The RADIUS Settings subcomponent enables or disables RADIUS 
authentication servers, identifies the servers, and determines the order in which 
they receive authorization requests from the Ravlin unit. 

• The RADIUS Servers subcomponent contains a table identifying which RADIUS 
servers the Ravlin Soft clients can use for authentication. 

• The Client CA Certificates subcomponent lets you import CA certificates. The 
Ravlin unit uses a CA certificate during ISAKMP to confirm the validity of a 
certificate sent by a Ravlin Soft client. It does this by using the public key 
contained in the CA certificate to verify the issuer's signature on the user 
certificate sent by the client. 

When to Use The Client Options Component 

Use the RADIUS Settings component and the RADIUS Servers subcomponents only 
when at least one remote Ravlin Soft user needs to access the Ravlin unit through a 
RADIUS server. Use the Client CA Certificate subcomponent when you need a root 
certificate for verifying signatures on certificates sent by Ravlin Soft clients. 



The Interfaces Component 

The Interfaces component lets you assign identifying values to a Ravlin unit's network 
interfaces. 
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Each Ravlin unit has two interfaces, the local interface and the remote interface. The local 
interface exchanges IP packets from the networks (or subnets) protected by the Ravlin 
unit, while the remote interface exchanges IP packets with an external source, typically 
from subnets located out in the Internet, similar to the following diagram: 
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Because each interface has its own IP address and subnet mask, other network devices 
can identify and reference each interface independently. 

When To Use the Interfaces Component 

Use the Interfaces component whenever you need to specify or modify the parameters 
that identify a Ravlin unit's interfaces. For example, when you configure a new Ravlin unit, 
you must assign each interface an IP address and a subnet mask so other network devices 
(including other Ravlin units) can reference the interface. 



The MIB II Component 

When the Ravlin Node Manager accesses a Ravlin unit's firmware, it communicates using 
SNMP protocol. The MIB II component displays information about the MIB II groups 
supported by the Ravlin unit. 
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The purposes of the standard MIB II groups are as follows: 

• Address Translation Group is an ARP table that displays the mapping of IP 
addresses to the MAC addresses for each Ethernet interface. 

• Interfaces Group displays statistics about packets (any protocol) received on 
each Ethernet interface. 

• SNMP Group displays statistics about SNMP packets. 

• System Group displays general information about the Ravlin unit. 

When to Use the MIB II Component 

Because the Ravlin Node Manager uses SNMP protocol to access and manage the Ravlin 
unit, SNMP traffic occurs whenever the Ravlin Node Manager changes or queries a 
setting. Operations performed on the Ravlin unit by other SNMP-based managers also 
generate SNMP traffic. Use the MIB II component whenever you need to monitor the 
SNMP traffic that occurs between the Ravlin unit and another management application. 



The Network Component 

Use the Network component to determine how and where the Ravlin unit directs traffic it 
receives from other devices. 
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The Network component consists of two subcomponents, Packet handling and Routing 
Table. 



• The Packet Handling subcomponent enables or disables non-IP network traffic 
and MAC broadcasts. It also lets you enable or disable Network Address 
Translation (NAT). 

Note: IP packet headers contain a setting called the Don't Frag bit. When 
this bit is set, it warns network applications not to fragment the 
packet. Enabling the Ignore Don't Frag Bit setting lets the Ravlin unit 
fragment large packets, even if the Don't Frag bit is set on. 

• The Routing Table subcomponent contains the global routing table, which 
specifies where the Ravlin unit directs network traffic it receives. 

When to Use the Network Component 

Use the Network component to tell a Ravlin unit where to direct network traffic. For 
example, when you configure a new Ravlin unit, you must specify at least one row in the 
Routing Table subcomponent, so the Ravlin unit will have a destination for the traffic it 
receives from other network devices. In addition, you must make an entry in the Routing 
Table subcomponent for each new network or subnet to which the Ravlin unit must direct 
traffic. You can also use the Network component to enable or disable SNMP Management. 

Enabling and Disabling Remote SNMP Management 

Ravlin Node Manager allows you to turn on or off the ability of a Ravlin device to accept SNMP 
packets on the remote interface. By default, the feature is enabled (accept SNMP packets on the 
remote interface). To disable this feature, in the Ravlin Node Manager window, open the 
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Network component, click Packet Handing Options, and then double -click SNMP Management 
From Remote Interface. 



Cascading of Packets 



When necessary, you can enable or disable the cascading of packets from one Ravlin 
device to another. By default, the cascading of packets option is disabled. To enable 
cascading, open the Network component, click Packet Handling Options, and double -click 
Cascade Packets to Other Tunnels. 
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The Policy Database Component 

Use the Policy Database component to design and modify the security associations (SAs) 
created by the Ravlin unit. You design an SA by creating a policy data entry (PDE), a 
collection of configuration settings that determine how the SA works. The Ravlin unit 
automatically establishes the SAs when any network device attempts to send IP packets 
through the unit. 
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The Policy Database component consists of three subcomponents, Key Management, 
Protocol Tables, and Policy Data Entries. 

• The Key Management Table subcomponent lets you create key management 
profiles, which specify key types the Ravlin unit might use to establish the SAs. 
For example, a profile might specify 56-bit DES CBC key with MD5 hashing, or a 
168-bit Triple DES key with SHA-1 hashing. A profile might also specify a manual 
key. 

Important: Entries in this table are proposed settings, not active settings. To 

invoke a setting specified in this table, you must set up an entry in the 
Policy Data Entries subcomponent. 

• The Protocol Tables subcomponent lets you create SA protocol profiles, which 
specify security modes that SAs might use. For example, a profile might specify 
the ESP security mode with 3-key Triple DES encryption. 

Important: Entries in this table are proposed settings, not active settings. To 

invoke a setting specified in this table, you must set up an entry in the 
Policy Data Entries subcomponent. 

• The Policy Data Entries subcomponent contains profiles that define possible 
SAs. For example, a profile might describe an SA that uses 56-bit encryption in 
ESP mode with SHA-1 hashing. 

Note: When the Ravlin unit initiates an SA, it gets the necessary 

configuration information from an entry in the Policy Data Entries 
subcomponent. Without such an entry, the Ravlin unit cannot 
establish the SA. 
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When To Use the Policy Database Component 



Use the Policy Database component whenever you want to design or modify an SA. For 
example, when you perform the initial setup of a Ravlin unit, you must create at least one 
entry in the Policy Data Entries subcomponent, or the unit cannot establish an S A and no 
secure data exchange can occur. 



The Reporting Component 



The Reporting component determines how the Ravlin unit routes status and error 
information generated when reportable events occur in the unit. 
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The Reporting component contains two subcomponents, SNMP Trap Receiver and 
Syslog Setup. 

• The SNMP Trap Receivers subcomponent contains a table of network devices 
that can receive SNMP traps from the Ravlin unit. The Ravlin unit sends these 
traps automatically when critical events (such as a hashing failure or a reboot) 
occur on the unit. Each table entry identifies a trap receiver by its IP address and 
community string. 

• The Syslog Setup subcomponent determines which network device holds the 
Syslog error and status message file. The subcomponent identifies the device by 
its IP address and the port by its port number. 

When To Use the Reporting Component 

Use the Reporting component to specify where your system's Syslog files should reside, 
or to specify where your system should direct SNMP traps. 
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The Settings Component 

With the Settings component, you set parameters that determine how the Ravlin unit 
performs its encryption and network tasks. 
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DHCP Settings 

The DHCP Settings configuration parameters let you configure a Ravlin unit to use 
addresses generated by a Dynamic Host Configuration Protocol (DHCP) server. 
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The settings you make in the DHCP Settings subcomponent are as follows. 
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The DHCP Server IP Address setting 



This is the IP address of a DHCP server. The Ravlin unit issues a DHCP request to this 
server to obtain an IP address for Ravlin Soft clients, or for a Ravlin unit that gets its local 
IP address from DCHP through the tunnel. The DHCP server sends this IP address back to 
the Ravlin unit, then the Ravlin unit sends a packet containing the IP address to the 
Ravlin Soft client. Thereafter, the client uses it as the Virtual IP address. 



The DHCP Broadcast Interface Setting 



The specific IP address of the DHCP server that generates the IP address for the Ravlin 
unit. As an alternative, you can specify a Ravlin unit interface through which the Ravlin 
unit broadcasts DHCP server requests. Your choice appears automatically in the DHCP 
Broadcast Interface item, described below. 

This feature allows you to specify a broadcast address for a DHCP server. If two DHCP 
servers are on two different segments, you can specify a primary and secondary DHCP 
server by configuring IP Helper on the router. If the router is located between the Ravlin 
unit and the DHCP servers, you must configure the router to specify the necessary IP 
Helper services. 

You set the DHCP Server IP address by double -clicking the DHCP Server IP Address 

item, which displays two options (shown below). 
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If you select the Broadcast the DHCP request option, you must then select the interface 
(either local or remote) from which to broadcast the DHCP requests. 
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If DHCP Server IP Address is not a broadcast address then DHCP broadcast interface is 
Not Applicable. 
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The Client DHCP Relay Gateway Address Setting 

This feature specifies which address range from which the DHCP server generates IP 
addresses for the Ravlin Soft client. For example, assume a DHCP server's configuration 
specifies IP address generation from the following ranges: 

Address Range IP Address Subnet Mask Scope of Addresses 

A 10.1.1.0 255.255.255.0 10.1.1.1 through 10.1.1.254 

B 10.1.2.0 255.255.255.0 10.1.2.1 through 10.1.2.254 

C 10.1.3.0 255.255.255.0 10.1.3.1 through 10.1.3.254 

Example 1 

The following DHCP Relay Gateway Address setting tells the DHCP server to generate 
the host IP address from address range B. 

10.1.2.24 

The scope of addresses allowed by this setting is 10.1.2.1 through 10.1.2.254, excluding 
10.1.2.24. 

Example 2 

The following DHCP Relay Gateway Address setting tells the DHCP server to generate 
the host IP address from address range C. 

10.1.3.20 

The scope of addresses allowed by this setting is 10.1.3.1 through 10.1.3.254, excluding 
10.1.3.20. 



Example 3 

When you set the DHCP Relay Gateway Address value to 0.0.0.0, the DHCP server does 
not generate IP addresses according to its own range settings. Instead, it generates the IP 
address according to the IP address and subnet mask value of the Ravlin unit's Local 
interface. For example, assume the Local interface IP address and subnet mask are 10.1.3.5 
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and 255.255.255.1. A DHCP Relay Gateway Address value of 0.0.0.0 makes the DHCP 
server generate IP addresses from 10.1.3.5 to 10.1.3.254, excluding 10.1.3.5. 



The DHCP Relay for Failover 



This new feature allows redundancy of a head-end (or hub) Ravlin unit when using a 
DHCP Relay. 

Important: You must enable or disable this feature on the head-end Ravlin unit only. 

In addition, before enabling DHCP Relay for Failover, you must upgrade 
to firmware version 3.60 (or above) for all Ravlin gateway devices, 
including the hub unit and all spoke units. 

If any gateway Ravlin unit participating in DHCP Relay for Failover is not 
so upgraded, the hosts behind that unit can communicate one way only. 
(When DHCP Relay for Failover is disabled, this does not apply.) 

When disabled, the DHCP Relay for Failover feature is backward compatible. The default 
setting is disabled, as shown below. After upgrading to version 3.60, confirm this default. 
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DHCP on Remote Port 


Disabled 


DHCP on Local Port 


Disabled 


Tunnel Local Host's DHCP Request 


Disabled 



The DHCP on Local (or Remote) Port Settings 

Note: These settings bear no relationship with the DHCP Server IP Address 
setting (described above). They serve different purposes entirely. 

The DHCP Settings subgroup contains the following enable/disable settings. 

• DHCP on Local Port 

• DHCP on Remote Port 

Whichever port you enable (Local or Remote) is the port for which the Ravlin unit issues a 
DHCP request. 



The Tunnel Local Host's DHCP Request setting 

This setting enables or disables tunneling of DHCP requests between Ravlin units. 
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Note: When a Ravlin unit uses DHCP, it is impossible to use a pre-shared key. 
This is due to a fundamental incompatibility between DHCP and the pre- 
shared key mode. 



Tunnel Status Settings 



This feature allows you to monitor the status, viability, and response time of an active 
tunnel. Tunnel status information consists of the percentage of traffic that successfully 
flows round trip through the tunnel, plus the minimum, maximum, and average time taken 
for the packets. 

This feature is backward -compatible with previous versions of Ravlin firmware. 

Important: To use tunnel status monitoring, you must update only the head end 
Ravlin unit to 3.60, not necessarily both units. 

You can configure tunnel status monitoring with Tunnel Status Settings, located under 
the Settings component. Tunnel status monitoring is disabled by default, as shown 
below. 



S-D Network 
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Tunnel Status Settings 



Polling Time Interval 
Reporting Time Interval 
Warning Trap Threshold 



Polling Disabled 
Reporting Disabled 
75 percent 



The Polling Time Interval determines the frequency of such traffic, and the Reporting 
Time Interval determines how frequently the Ravlin unit reports to a Syslog server on the 
traffic statistics. The Warning Trap Thresholddetermines how low the performance can 
continue to fail before the Ravlin unit generates an SNMP trap. 

To start tunnel status monitoring, set the Polling Time Interval to between 30 and 600 
seconds (inclusive), and set the Reporting Time Interval to between 60 and 7200 seconds 
(inclusive). If necessary, set the Warning Trap Threshold to the desired percentage. The 
minimum is 1 and the maximum is 100. 



Control Settings 

The Control Settings configuration parameters determine how the Ravlin unit operates in 
the VPN environment. 
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ARP Cache Cleanup Interval Determines if the Ravlin unit performs automatic ARP 

cache cleanups, and specifies the interval between 
such cleanups. 

Operational Mode Specifies the default action to take when the Ravlin 

unit detects an IP packet. The possible settings are: 

• Pass all traffic 

The Ravlin unit passes all IP traffic in the clear. 

• Block all traffic 

The Ravlin unit blocks all IP traffic. 

• Virtual Private Network 

The Ravlin unit encrypts, blocks, or passes IP 
traffic according to the entries in the policy 
database. 

Inactive Client Timeout Determines how long the Ravlin unit waits before 

terminating a security association between the Ravlin 
unit and an inactive Ravlin Soft client. 

Password Determines the password required to access this 

Ravlin unit's configuration parameters with the Ravlin 
Node Manager. The password consists of 2-16 
alphanumeric characters. Passwords of at least 8 
characters are recommended. As you enter the 
password, it appears as a sequence of asterisk (*) 
symbols for security. The default password for all 
Ravlin units is "1234". 



SNMP Settings 

The SNMP Settings configuration parameters consist of community string settings. The 
purpose of a community string is to identify valid sources for SNMP requests, and to limit 
the scope of accessible information. The Ravlin unit uses the community string like a 
password, allowing only a limited set of management stations to access its MIB. 

• READ Community String 

Specifies a name (public by default) for the read-only SNMP community string. 
This community string allows GET operations, but does not allow SETs. 

• WRITE Community String 

Specifies a name (private by default) for the read-write SNMP community string. 
This community string allows both GET and SET operations. 

When you view a Ravlin unit's configuration information using the Ravlin Node Manager, 
the unit compares its READ community string with that of your host machine. If both 
READ settings are identical, you can view the configuration information without the 
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correct Ravlin unit password. However, you cannot change a setting on the Ravlin unit 
without the correct WRITE community string and the correct Ravlin Password. Any 
attempt to do so generates a "Verification of Hash value" error message. 



ULA Settings 

The ULA Settings component lets you set configuration parameters concerning user-level 
authentication (ULA). The Authentication Timeout setting determines how long the 
Ravlin unit waits for ULA authentication before terminating the authentication attempt, 
and the Authentication Port setting determines which logical port on the ULA host 
transmits and receives ULA information. 



The Status Component 

The Status component monitors the current behavior and performance of the Ravlin unit. 
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The SA Statistics subcomponent displays the following status values: 
The meanings of these information items are as follows: 



Item 


Purpose 


Active SA Count 


The current number of security associations (SAs) that 




are currently active in this Ravlin unit. 


Pending SA Count 


The number of initiated SAs that are not yet fully 




established. 


Signature Failure Count 


The number of unsuccessful attempts to verify a digital 




signature. 
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RAVLIN NODE MANAGER TOOLS 



The Ravlin Node Manager offers three tools for managing Ravlin units: the MIB Walk 
Tool, the Firmware Upgrade Tool, and the Ping Tool. 

MIB Walk Tool 

The MIB Walk Tool displays the variables defined by the management information base 
(MIB) for the system. 
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Use this tool to view, copy, and delete the values contained in these variables. To access 
the MIB Walk Tool, select Tools I MIB Walk. 

Firmware Upgrade Tool 

The Firmware Upgrade Tool automates the process of downloading new firmware 
versions. To access this tool, select Tools I Firmware Upgrade. 

Using this tool to upgrade the Ravlin unit's boot-ROM erases most of the existing 
settings, such as policy data entries. (The IP addresses are maintained so communication 
with the unit over the network is not lost during or after the upgrade process.) Before 
downloading new boot-ROM versions, be sure to record your settings so you can restore 
them afterwards. 

Upgrading only the firmware does not erase existing settings, and the entire configuration 
is maintained. 
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Caution! After downloading a new version of the boot-ROM, DO NOT power-down 
or reboot the Ravlin unit until 15 seconds (or more) have passed. 
Otherwise, the Ravlin unit will lose its ability to communicate with other 
devices, and will require remanufacturing. 



Ping Tool 



The Ping Tool executes a ping command to confirm the existence of network devices by IP 
addresses. 
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To access this tool, select Tools I Ping. 
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SETTING UP RADIUS AUTHENTICATION FOR ULA 



This section describes the setup procedure for RADIUS authentication. The topics in this 
section are — 



About RADIUS Authentication 
Implementation Process Overview 
Specifying RADIUS and ULA Settings 
Installing the ULA Client Application 
RADIUS Exceptions Behind the Remote Ravlin 
Running Ravlin Soft with ULA Client 



About RADIUS Authentication 

Remote Authentication Dial-In User Service (RADIUS) authentication is for authenticatio 
of users behind a remote Ravlin device. Performing such authentication requires a user 
name and password handshake between the RADIUS server (located behind the headend 
Ravlin device) and the users behind the remote Ravlin device. 
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Any access request to and from a host behind a remote Ravlin device is challenged and 
routed to the RADIUS server. In this example, Host A initiates an access request from 
behind the remote Ravlin device. 

1. After the remote Ravlin and the Headend Ravlin establish a security association for 
Host A, Host A's user attempts to check email on the email server. 

2. Because the headend Ravlin is configured for RADIUS authentication, it generates a 
RADIUS challenge, prompting for user name and password. The user can receive the 
challenge and respond, because Host A runs the ULA client application. 

3. The headend Ravlin unit forwards the user name and password from Host A to the 
RADIUS server for verification. 

• If the user name and password from Host A match the user name and password 
in the RADIUS server authentication database, the RADIUS server sends an 
accept message to Host A, thus allowing the user to access the email server. 

• If the user name and password from Host A do not match the user name and 
password in the RADIUS database, the RADIUS server rejects the access 
request. 

Important! Currently, only the data packets transmitted between the remote Ravlin 
and the headend Ravlin are encrypted according to the IPsec standards. 
Traffic between the Ravlin device and the hosts behind it are in the clear. 
You cannot run Ravlin Soft and the ULA client application on the same 
host at the same time. 



Implementation Process Overview 

To implement RADIUS authentication , you need the following items. 

• Ravlin firmware version 3.50 or higher (on the headend Ravlin unit) 

• ULA Client 1 . 1 (on the Ravlin Node Manager Tools CD) 

• RADIUS server that is compliant with RFC 2138. 
To implement RADIUS authentication in your VPN — 

1. Upload Ravlin firmware 3.50 to the headend Ravlin unit. 

The remote Ravlin device does not require Ravlin firmware 3.50. 

2. Install Ravlin Node Manager on the host that will configure the headend Ravlin unit. 

3. Configure the headend Ravlin device using Ravlin Node Manager 3.60. Be sure to 
specify the RADIUS settings and enable user-level authentication (ULA). 
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4. Install ULA Client 1 . 1 on every host computer residing behind the remote Ravlin unit 
that requires RADIUS authentication. 



Specifying the RADIUS and ULA Settings 

To set up RADIUS authentication in Ravlin Node Manager — 

1. In Ravlin Node Manager, set up a security policy with User Level Authentication 
enabled on the headend Ravlin unit. 

Open the Policy Database component, open the Policy Data Entries subcomponent, 
and then click VPN. The VPN attributes appear in the contents pane. Double-click 
User Level Authentication in the contents pane to enable it. 

Important! You do not need to enable User Level Authentication on the remote 
Ravlin device. 

2. Specify the RADIUS settings (under the Client Options component). The settings 
are — 

• Authentication Status — Indicates whether RADIUS authentication is enabled. 
Double -click Authentication Status to set the status to Enabled. 

• Active Radius Server — Displays the IP address of the active RADIUS server. If 
the address is not correct, open the Radius Servers subcomponent and correct 
the IP address. 

• Priority — Displays the priority sequence of the RADIUS servers. If this 
sequence is not correct, double -click Priority and reset the server priority. 

3. Specify the Control settings (under the Settings component). 

4. Specify the SNMP settings (under the Settings component). 

5. Set the ULA Settings attributes (under the Settings component). 



Installing the ULA Client Application 

After you specify the RADIUS and ULA settings in Ravlin Node Manager, you can install 
the ULA Client application on the remote hosts. (A copy of ULA Client is on the Ravlin 
Node Manager Tools CD. If necessary, you can make copies of this CD and distribute 
ULA Client to the remote users.) 

The remote computers must — 

• Run the Windows, Linux, or Solaris operating system. 

• Be protected by a remote Ravlin unit. 
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Require RADIUS authentication. 



Windows Users 

The Windows computers must meet the following minimum requirements for ULA Client: 

• Pentium® -based computer with a 166 MHz or faster processor 

• 64 MB RAM 

• 65 MB of free hard disk space 

• Windows 95, Windows 98, Windows ME, Windows NT 4.0 (Service Pack 4 or later), 
or Windows 2000 

• Java Runtime Environment (JRE) 1.3 or later (installed automatically during the ULA 
Client installation process) 

• Display monitor setting using a color palette of 256 colors or better 
To install ULA Client on hosts running Windows — 

1. Insert the Ravlin Node Manager Tools CD into the remote host's CD drive. The 
InstallShield window appears. 

If the installation does not start automatically, copy setup, exe to the Windows 
desktop. Then, from the Start menu select Run. When the Run dialog box appears, 
click Browse. When the Browse dialog box appears, locate and select setup . exe, 
and then click Open. The Installer window appears. 

2. Click Next to begin the setup process. 

3. Follow the instructions in the Installer window. 

4. Click Finish to return to the Windows desktop. 
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To start ULA Client, from the Start menu select Programs I ULA Client I Start ULA 

Client. The ULA icon appears in the status area of the Windows task bar. When the 
remote user accesses a host behind the headend Ravlin device, a dialog box appears 
prompting for the user name and password. If the user name and password are approved, 
the user can access the desired hosts behind the headend Ravlin unit. 

Note: ULA Client starts automatically whenever you restart the computer. 

Important! To run Ravlin Soft on the same host as the ULA Client application, the 
user must first terminate ULA Client session. 

Linux Users 

The Linux hosts must meet the following requirements. 

• Pentium-based computer with a 166 MHz (or faster) processor 

• 32 MB RAM (48 MB is recommended) 

• 65 MB of free hard disk space 

• Display monitor setting using a color palette of 65 536 colors or better 

• Linux kernel 2.2. 12 or later 

• glibc 2. 1 .2 or later (the GNU C library for the Linux OS) 

• KDE or Gnome desktop interface 

• Java Runtime Environment (JRE) 1.3 or later (provided on the Ravlin Node Manager 
Tools CD) 

To install ULA Client on hosts running Linux — 

1. Insert the Ravlin Node Manager Tools CD into the remote computer CD drive. 

2. Start the File Manager Terminal window. 

3. Double -click the Linux folder. 

4. If the Java Runtime Environment (JRE) version 1 .3 is already installed on your system, 
double -click the Full folder. 

otherwise, 

Double -click the Upgrade folder. 

5. Double -click the setup . file and use the install shield to perform the installation. 
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To start ULA Client, from the Windows desktop click Application Starter, point to ULA 
Client, and then click Start ULA Client. The ULA Client window appears on the desktop 
to indicate that it is running and waiting for connection. As soon as the remote user 
accesses a host behind the headend Ravlin device, a dialog box appears prompting for the 
user name and password. If the user name and password is approved, the remote user can 
access the desired hosts behind the headend Ravlin. 

To exit ULA Client, click the Close button in the ULA Client window. The ULA Client 
window closes and ULA Client session terminate. 

To uninstall ULA Client, from the Windows desktop click Application Starter, point to 
ULA Client, and then click Uninstall ULA Client. The Uninstaller window appears. Follow 
the instructions on the screen. When you reach the last page of the Uninstaller window, 
click Finish. 

Solaris Users 

The Solaris host must meet the following requirements. 

• SPARC™ or equivalent computer 

• Must run Solaris 8 

• Must have all required patches for running the Java Runtime Environment (JRE) 

• Java Runtime Environment (JRE) 1.3 or later (provided on the Ravlin Node Manager 
Tools CD) 

For the list of patches and patch installation instructions, see the Sun Microsystems Web 
site at http://java.sun.eom/j2se/l.3/README.sparc . 

To install ULA Client on hosts running Solaris — 

1. Insert the Ravlin Node Manager Tools CD into the remote computer CD drive. 

2. Start the File Manager Terminal window. 

3. Double -click the Solaris folder. 

4. If the Java Runtime Environment (JRE) version 1 .3 is already installed on your system, 
double -click the Full folder. 

otherwise, 

Double -click the Upgrade folder. 

5. Double -click the setup . file and use the install shield to perform the installation. 
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To start ULA Client, locate and open the ULA Client folder. Double -click the run icon. 
The ULA Client window appears on the desktop, indicating that it is running and waiting 
for connection. As soon as the remote user accesses a host behind the headend Ravlin 
device, a dialog box appears prompting for the user name and password. If the user name 
and password is approved, the remote user can access the desired hosts behind the 
headend Ravlin. 

To exit ULA Client, click the application icon in the upper left corner of the ULA Client 
window. The ULA Client window closes and ULA Client session terminates. 

To uninstall ULA Client, from the desktop locate and open the ULA Client folder. Open 
the _uninstall folder, and then double -click the uninstaller icon. The Uninstaller window 
appears and uninstalls ULA Client. When the uninstallation process is finished, all the 
ULA files are removed except for the ULA Client folder. 



RADIUS Exceptions Behind the Remote Ravlin 

After you implement RADIUS authentication as described, the RADIUS server challenges 
any access attempt to or from any host behind the remote Ravlin. However, you can set 
up exceptions so that certain hosts do not receive RADIUS challenges. Printers or servers 
behind the remote Ravlin are examples of these exceptions. See the illustration below. 



Piinrei 



In 



Requires a 
32-Bit 
Subnet Mask 



Requires 
ULA Client 1.0 



□ 



^^^^^ ^^^ 

Requires 
ULA Client 1.0 



Remote 
Ravlin 




H ead end 
Ravlin 




Requires 
Firmware 3.50 
(ULA Enabled) 



□ 



^^^^^^^ ^ 



RADIUS Server 



^^^^^^^^^ 



□ 



i EZZSJ [== 



Email Server 



To set up the exception, assign a static IP address to the printer or server but with a 
32-bit subnet mask. You enter this address in Ravlin Node Manager, under Network 
Tables. Be sure to provide this address when you configure the remote Ravlin and the 
headend Ravlin. 
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Caution! All hosts given the 32-bit subnet mask are assumed to be trusted entities 
in the VPN. Do not use the 32-bit subnet mask for any other host. 



1 Ravlin Node Manager - [RavlO.rav] 
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Tools Window Help 
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J| IPS EC Settings 
-.jj Routing 

I SAKMP Settings 
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Local Networks 
Peer Networks 
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Network Numbei Network Mask 
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1921681 1 



255.255.255.0 



255 255 255.255 



Ready 



0002 Total 0001 Selected 



Running Ravlin Soft with ULA Client 

Important! Ravlin Soft and the ULA Client application both need to access port 1812 
for RADIUS authentication. Therefore, if the remote user plans to run 
Ravlin Soft on the same host, the user must first exit the ULA Client 
application. 

To turn off the ULA Client application, right-click the ULA icon on the Windows taskbar. 
A shortcut menu appears. Select Exit. The ULA Client application is turned off and the 
ULA icon is removed from the taskbar. The user can now start Ravlin Soft. 
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RADIUS SERVERS 



This appendix discusses Radius server configuration issues for VPNs. 

Note: RedCreek supports the standards specified in the current RADIUS RFC 
document #2138, and uses the vendor-specific type (#26) to extend 
RADIUS for VPN clients. RedCreek Communications, Inc. does not 
provide direct support for individual RADIUS server implementations for 
RedCreek device integration. It is the network administrator's 
responsibility to be familiar with the internal workings of their individual 
RADIUS server. Please refer to RFC #2138 at the IETF Web site 
(http://www.ietf.org) for more information. 

Setting Ravlin Soft Client Parameters Via RADIUS 

RADIUS is a transaction-based remote access authentication service that uses a 
dedicated server. When remote users dial in to a remote access device, such as a Ravlin 
unit, that device requests user authentication from the RADIUS server, including name 
and password. The RADIUS server performs the authentication, using its centrally 
located remote user database, and returns an Accept or a Reject response to the Remote 
Access Server. If accepted, clients are routed onto the network. If a client is rejected, the 
server bars access. 

RADIUS servers can also perform connection accounting, recording basic information 
such as the number of bytes transferred and time connected. 

A RADIUS server may set Ravlin Soft client parameters by passing configuration 
information after an ISAKMP exchange succeeds. After authentication, the RADIUS 
server can send the following information back to the Ravlin unit: 

• Tunneled IP address • WINS server • DNS search list 

• DNS server • Net Mask • Host name 
The specific RADIUS RFC features that relate to RedCreek are as follows: 

• Shared Secret passwords between the Ravlin unit and the RADIUS Server 

• Password encryption between the client and the RADIUS Server using MD5 

• CHAP (Challenge Handshake Authentication Protocol) - An authentication 
method in which the remote access or network server sends the client a key to 
use for encrypting the user name and password, for protection against 
eavesdropping. The encryption algorithm is usually MD5. (PAP, Password 
Authentication Protocol, may also be used but PAP passes user names and 
passwords in the clear, providing far weaker security.) 
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• Remote configuration information is built into individual Access-Accept packets 
as part of an Attributes field. 

Configuration tasks are simplified on the client by allowing the RADIUS server to set the 
values. The network manager can pre -configure IP information for a group of dial-in users. 

Sample RADIUS Attributes 

The following information is provided as a basic configuration example for a RADIUS 
server. Configurations on your system may vary. 

To enable dynamic configuration on a Ravlin Soft remote client, vendor-specific attributes 
must be edited in certain RADIUS configuration files. The following examples illustrate 
how this is done for Ascend RADIUS servers. Other RADIUS servers implement this 
feature differently, but the basic principles still apply. 

The Vendors File 

Declare a RedCreek entry in the RADIUS vendors file. Here is an example of the entry for 
Ascend RADIUS server: 

RedCreek. attr RedCreek . value 1958 RedCreek 

The Dictionary File 

Declare the RedCreek attribute variables in the RADIUS dictionary file. Here is an example 
of entries in the dictionary file for Ascend RADIUS server: 



# RedCreek Tunneling Con fig 



RedCreek . 


.attr 


RedCreek- 


- Tunnel ed-IP-Addr 


5 


ipaddr 


(*, 


0) 


RedCreek . 


, attr 


RedCreek- 


-Tunneled-IP-Netmask 


6 


ipaddr 


(*, 


0) 


RedCreek . 


. attr 


RedCreek- 


-Tunneled-Gateway 


7 


ipaddr 


(1, 


0) 


RedCreek . 


. attr 


RedCreek- 


- Tunnel ed-DNS-Server 


8 


string 


(1, 


0) 


RedCreek . 


attr 


RedCreek- 


- Tunnel ed-WINS-Serverl 


9 


string 


(1, 


0) 


RedCreek , 


attr 


RedCreek- 


- Tunnel ed-WINS-Server2 


10 


string 


(1, 


0) 


RedCreek . 


. attr 


RedCreek- 


-Tunneled-HostName 


11 


string 


(1, 


0) 


RedCreek . 


, attr 


RedCreek- 


-Tunneled-DomainName 


12 


string 


(1, 


0) 


RedCreek . 


attr 


RedCreek- 


-Tunneled-Search-List 


13 


string 


(1, 


0) 



The Clients File 

Declare the IP address of the Ravlin unit that uses the Ravlin Node Manager in the 
RADIUS Clients file, using the following format: 
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<Ravlln 10 IP address> <shared secret> <type> 

For example, the Client file entry for an Ascend RADIUS server might look like: 

# 

#Cllent Name Key 

# 

#RedCreek Ravlin Manager Software 
192.168.2.230 mysecret type=RedCreek : MAS 



The Users File 

Declare the attributes supporting ESP in the RADIUS Users file as follows: 



RedCreek-Tunneled-IP-Addr 
RedCreek-Tunneled-IP-Netmask 
RedCreek-Tunneled-Gateway 
RedCreek-Tunneled-DNS-Server 
RedCreek-Tunneled-WINS-Serverl 
RedCreek-Tunneled-WINS-Server2 
RedCreek-Tunneled-HostName 
RedCreek-Tunneled-DomalnName 
RedCreek-Tunneled-Search-List 

Here is a possible example of such an entry: 



<IP address>, 
<IP mask>, 
<1P address>, 

"<IP addr. comma sep. l±st>", 
"<IP address>", 
"<IP address>", 
"<host name>", 
"<doma±n name>", 

"<doma±n names comma sep. l±st>' 



RedCreek- 


-Tunneled-IP-Addr 




192.168.2.222, 


RedCreek- 


-Tunneled-IP-Netmask 




255.255.255.0, 


RedCreek- 


-Tunneled-Gateway 




192.168.2.1, 


RedCreek- 


-Tunneled-DNS-Server 




"172.16.8.69, 172.8.0.21 ", 


RedCreek- 


-Tunneled-WINS-Serverl 




"192.168.2.82", 


RedCreek- 


-Tunneled-WINS-Server2 




"192.168.2.10", 


RedCreek- 


-Tunneled-HostName 




"Binky", 


RedCreek- 


-Tunneled-DomainName 




"the . rabbit . com ", 


RedCreek- 


-Tunneled-Search-List 




"ens . corp . com, redcreek . com 



MN-00038 C 



74 



MN-00038 C 



CERTIFICATES 



Before a Ravlin Soft client can communicate with a Ravlin device, the Ravlin device must 
have the CA certificate upon which the client's user certificate is based. You can use the 
default certificate that is provided with the device, or you can import a CA certificate. 

To import the CA certificate — 

1. Obtain the identifying information for the client's CA certificate. 

This information includes the following: 

C Country Code Example: US 

O Organization Code Example: RedCreek 

OU Organization Unit Example: Engineering 

CN Common Name Example: NYOffice_Cert 

You will need this information later when you import the CA certificate into a policy 
data entry (PDE). 

Note: You can get this information by viewing it in the ReD i-Cert application, or by 
viewing the information from the Certificates page of the Ravlin Soft window. 

2. Start Ravlin Node Manager and open the desired configuration file. 

3. Open the Client Options component, right-click Client CA Certificates, and then 
select Insert from the shortcut menu. 

The Client CA Certificate dialog box appears. 

4. Click Select to locate and select the CA certificate file. 

The identification fields from the CA certificate you selected appear in the Client CA 
Certificate dialog box. 



Client CA Certificate 



Certificate: 



| C=U S =H edCieek.:0 U =E ngineering;CN =NY0 ffice Select... J 

S pacify a fft/m for (he certificate: 

NYOffice_Ceiif 



□ K 



Cancel 
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5. Enter a user-friendly name for the certificate in the Specify a name for the certificate 
box (NYOffice_Cert in this example to match the common name), and then click OK 



The new certificate appears in the certificate list. 



^ Ravlin Node Manager - [3200.rav] 


"Sj_ File Edit View lools Window Help 


] D a? # tD X | ^ | f 


l-l „J Client Options 

Radius Settings 
yjjj Radius Servers 
Q Client CA Certificates 
_| Interfaces 
i-[_J MIB II 


U ser Frietufy Name Certificate Distirtcpuiified Name 


CA-IBM C=U5;O=IBW;0U=Engineering 
ftedOreek OuS;Ort ;OU-Kewark; CN-Q,A 
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6. To enter the information in the policy data entry (PDE) designed for the Ravlin Soft 
client, open the Policy Database component, click Policy Data Entries, click the PDE 
designed for the Ravlin Soft client (RavlinSoft in this example), and then click Peer 
Info. 

E; I Policy Database 

+ -.e] Key Management 
[+]■■■ Protocol Tables 
□■■■Sjjj] Policy Data Entries 
IE] ■_=] RavlinSoft 

HP SB 

; Key Management 

In the contents pane, the Distinguished Name entry for the certificate appears. 

7. Double -click Distinguished Name. 

The Peer Distinguished Name dialog box appears. 

8. Type the identifying information for the CA certificate (obtained in step 1) in the Use 
Generic Distinguished Name box. 

Important! You must enter the identifying information in the following format. In 
addition, you must use semicolons in between each entry. 

C=<Country Code>; 0=<Organizational Code>; OU=<Organization 
unit>; CN= < Common Name > 

In this example, the string to enter is: 

C=US; 0=RedCreek; OU=Englneerlng; CN=NYOfflce_Cert 
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Note: Ravlin Node Manager accepts wildcard characters in any of the fields in the 
distinguished name. 

9. Click OK. 

The import process is complete. 
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CONFIGURING UNITS REMOTELY 



In some situations, a network administrator might find it convenient to configure Ravlin 
units remotely across a router and another Ravlin unit. In the example described below, 
the administrator uses Ravlin Node Manager on PC A to configure Ravlin Unit B across 
Ravlin Unit A and a router. 



PC A 



RNM 



192.168.5.5 
PC B 



□ 



132,163,10.10 



Ravlin Unit A 

— <]6>— 

Local , Remote 
192,163,5,12 ' 192.168.5,11 




Local 
192.1 68 .10.32 



Re mole 
192.168.10.31 



Router 



To configure Ravlin Unit B, the administrator must perform the following tasks. 

1. Using the front panel buttons, set the Local and Remote IP addresses of the unit on 
the far side of the router (Ravlin Unit B). 

Setting the IP addresses manually is necessary because PC A cannot communicate 
with Ravlin Unit B across the router until the IP addresses are set. (The MAC 
addresses alone are insufficient.) In the above example, the administrator sets the 
Remote IP address to 192.168.10.31, and the Local IP address to 192.168.10.32. 

2. Using the Ravlin Node Manager, set the near unit (Ravlin Unit A) to Pass All Traffic, 
or set up a bypass policy data entry to the remote subnet. 

Otherwise, configuration information cannot pass through the near Ravlin unit. 

3. Set up policy data entries on both units in the normal way, except for the Network 
Tables subcomponent (as described in the next step). 



4. In the Network Tables subcomponent, set up entries as follows: 
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• On the Near Unit (Ravlin Unit A) 



Table Entry 

Peer Networks • Create an entry with the IP address of the interface 

through which Ravlin Node Manager communication 
occurs on the far unit (Ravlin Unit B). For the example 
above, assume that this communication happens 
through the Remote interface of the far unit. The IP 
address of this interface is 192.168.10.31. Set the 
subnet mask to 255.255.255.255. 

• Create an entry with the IP address and subnet mask 
specifying the network or subnet protected by the far 
unit (Ravlin Unit B). For the example above, assume 
that the protected subnet consists of a single host, 
PC B. Thus, the entry should specify an IP address of 
192.168.10.10 and a subnet mask of 255.255.255.255. 



Local Networks • Create an entry with the IP address and subnet mask 

of the network or subnet protected by the near unit 
(Ravlin Unit A). For the example above, assume that 
the protected subnet consists of a single host, PC A. 
Thus, the entry should specify an IP address of 
192.168.5.5 and a subnet mask of 255.255.255.255. 



• On the Far Unit (Ravlin Unit B) 



Table Entry 

Peer Networks • Create an entry with the IP address and subnet mask of 

the network or subnet protected by the near unit 
(Ravlin Unit A). For the example above, assume that the 
protected subnet consists of a single host, PC A. Thus, 
the entry should specify an IP address of 192.168.5.5 
and a subnet mask of 255.255.255.255. 



Local Networks • Create an entry with the IP address and subnet mask of 

the network or subnet protected by the far unit (Ravlin 
Unit B). For the example above, assume that the 
protected subnet consists of a single host, PC B. Thus, 
the entry should specify an IP address of 192.168.10.10 
and a subnet mask of 255.255.255.255. 

• Create an entry with the IP address of the interface 
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Table 



Entry 



through which Ravlin Node Manager communication 
occurs on the near unit (Ravlin Unit B). For the example 
above, assume that this communication happens 
through the Remote interface of the near unit. The IP 
address of this interface is 192.168.5.11. Set the subnet 
mask to 255.255.255.255. 



5. Using the Ravlin Node Manager, set the Operational Mode of the far unit (Ravlin Unit 
B) to VPN. 

6. Using the Ravlin Node Manager, set the Operational Mode to the near unit (Ravlin 
Unit A) to VPN. 
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REMOTE PORTARP PROXY 



By default, the Local and Remote interfaces perform proxy ARP requests automatically. 
Because proxy ARP requests by the Remote interface can cause problems in certain 
situations, you might need to disable the Remote Port ARP Proxy setting. 
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The following diagram shows an example. Assume that Host A and Host B are each 
configured in bridge mode (see Bridging and Routing). 



|d] Host A 




Host B 



Host C P 



If Host B executes an ARP for Host A, Ravlin B performs a proxy ARP on behalf of Host 
A at the local side. 



However, when Host C executes an ARP for Host A, a problem occurs. In this case, Ravlin 
A performs a proxy ARP on behalf of Host A at the remote side. But because Ravlin A is 
in bridge mode, Host B also sends an ARP reply back to Host C. Thus, instead of a single 
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ARP reply, Host C receives two ARP replies. This can cause confusion. The solution is to 
disable Remote Port ARP Proxy on both Ravlin A and Ravlin B. 
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THE SYSLOG MESSAGE VIEWER 



Syslog is a UDP-based application protocol that serves as the primary event logging 
mechanism in the Ravlin 3.X product line. Messages handled and reported by Syslog 
include critical system errors, hardware failure, warning messages, and other information. 
While Syslog message codes are accessible from the front panel of a Ravlin 10 unit (where 
they appear in a seven-digit hexadecimal format), the Syslog Message Viewer displays the 
codes in more verbose form. 

Configuring For the Syslog Message Viewer 

Before Syslog can capture and log events generated by the Ravlin unit, you must tell the 
unit where to log the generated messages. To execute this configuration, perform the 
following steps: 

1. Start a session in the Ravlin Node Manager and open (or create) the configuration file 
for the unit. 

2. Navigate to the Reporting I Syslog Server subcomponent in the Item pane of the unit 
window. 



1 X, Ravlin Node Manage 


r - [Houston. r10] 


"2J. File Edit View Took Wndow Help fl | x| 


D G£ 1 H | aje 


1b X | g« | f 


l+l „J Network 

EH_| Policy Database 

t— J | Reporting 

lj| SNMPTrapl 
,,^| iy.log ieive 
Settings — 
Status tJ 

<i \ >r 


IP Address Pott Priority 


l|i?2i&0fl 514 Normal 




Ready 0001 Total 0001 Selected 



3. Right-click the Syslog Server subcomponent, then select Insert from the popup menu 
that appears. 

The Add Syslog Server dialog box appears. 

4. Enter the IP address of the Syslog server, then click OK. 

In most cases, the IP address is that of the host that runs the Ravlin Node Manager. 
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5. Leave the Port Number and Priority settings alone. 



Note: If the Syslog Message Viewer displays no output, initialize the Ravlin unit 
again by selecting Tools / Reset Unit. This action restarts the flow of 
Syslog messages. 

Starting the Syslog Message Viewer 

To start the Syslog Message Viewer, open the Windows Desktop Start menu and select 
Syslog Message Viewer from the RedCreek Communications menu. (On most systems, the 
path is Start I Programs I RedCreek Communications I Syslog Message Viewer.) 

The Syslog window appears. 



Syslog Syntax Examples 



In the figure below, a Syslog Messages window displays a series of event log messages. 
The first column displays the IP address of the Reporting Server, the workstation that 
collects the Syslog messages generated by the Ravlin unit. The second column displays 
the hexadecimal message code (enclosed in square brackets), the time the Ravlin unit 
generated the message, and a text message describing the event. 
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Reporting Server Message ID Timesismp of e*&ni Message Teil Reception lime 

Before Syslog can report an event message, the administrator must create a Policy Data 
Entry (PDE) in the Ravlin Node Manager. 

The following messages are typical output sent to the Syslog application from a Ravlin 
unit. All of the logging on the device goes through a central distributor, which then 
forwards messages to the appropriate publishers (the entities that access the Syslog 
output). The messages show that this device (a Ravlin 10) has three publishers: the front 
panel, the serial port, and the Syslog. 
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[15149100] 98-07-28/00:35:48 (GMT) Publisher registered for event 
audit messages (FRONTPANEL) 

[15149100] 98-07-28/00: 35: 48 (GMT) Publisher registered for event 
audit messages (SERIAL) 

[15149100] 98-07-28/00: 35: 48 (GMT) Publisher registered for event 
audit messages (SYSLOG) 

Three more messages describe a successful security association setup. The message 
sequence (050b41 16, 050241 17, and 050241 la) is highly predictable and may occur 
whenever an S A is generated between two Ravlin units or between a Ravlin Soft client 
and a Ravlin unit: 

[050b4116] 98-07-28/00:35:48 (GMT) Received ISAKMP initialization 
request from Peer IP (192.168.2.234) 

[05024117] 98-07-28/00: 35: 51 (GMT) Phase I complete. Peer and 
Proposal is (IP : 192. 168. 2. 234 ID: 19) 

[0502411a] 98-07-28/00:35:51 (GMT) ISAKMP /OAKLEY successful. SA 
Active. Peer and Transform is (IP : 192 . 168 . 2 . 234 ESP) 

The following messages are generated when a client accesses a Ravlin 10 using RADIUS 
authentication. 

[050b4116] 98-07-16/04: 02: 30 (GMT) Received ISAKMP initialization 
request from Peer IP (192 .168 .2 .234) 

[05024117] 98-07-16/04: 02: 31 (GMT) Phase I complete to Peer IP 
(192.168.2.234) 

[15213500] 98-07-16/04 : 02 : 32 (GMT) Sent RADIUS ACCESS Challenge to 
Client IP (192.168.53.21) 

[15213501] 98-07-16/04 : 02 : 37 (GMT) RADIUS Authentication successful 
with (IP: 192.168.53.21, User ID: jeff) 

[051a4604] 98-07-16/04 : 03 : 40 (GMT) SA Terminated. Client (IP: 
192.168.53.21 Pkts/Bytes Encrypt : Decrypt 51:72:3256:5904) 
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BRIDGING AND ROUTING 



Whether the Ravlin unit runs in bridge mode or router mode depends on the IP address 
and subnet mask values you specify for the unit's Local and Remote interfaces. The unit 
runs in bridge mode if the Local and Remote network addresses are the same; otherwise, 
the unit runs in router mode. 

A router is a computer, a workstation, or a dedicated hardware device set up to handle 
routing tasks. Such a device typically has two or more network interfaces, through which 
the routing device sends IP packets to other networks. Routers are also called gateways 
because they prevent or allow access to specific networks. That is why Ravlin units are 
often placed behind a router, to provide security protection just behind the gateway to 
your network. 

Each router contains a routing table, which lists the IP addresses of other network 
devices. When the router receives packets to transmit, the router consults the routing 
table and forwards the packets to the listed IP addresses. Ravlin units also have routing 
tables, which can perform concurrent routing functions. Using the Ravlin Node Manager 
(RNM), you can define the Ravlin unit's routing functions globally, or define policy data 
entries individually. If you set a Ravlin unit to pass all traffic in the clear, the unit becomes 
a simple router or bridge, and performs no other security functions. 

When you insert a Ravlin unit into an existing network, any static routes listed in the 
router's table must also exist in the Ravlin unit's routing table. 

Note: The Ravlin unit relies on the network route to support Routing 

Information Protocol (RIP) Border Gateway Protocol (BGP), or Open 
Shortest Path First (OSPF). 

Note: Ravlin routing tables provide static routing capability as required for 

some networking topologies. However, a default route (denoted by the IP 
address 0.0.0.0) is sufficient in many instances. 

End-to-End and Edge-to-Edge 

When a Ravlin unit protects a network, it is said to reside on the "edge" of the network, 
even though the unit may only protect a subnet of a larger enterprise network. When two 
Ravlin units participate in a Virtual Private Network (VPN), it is referred to as an "edge-to- 
edge" connection. A Ravlin Soft client is said to reside on the "end" of a network, so a 
connection between a Ravlin Soft client and a Ravlin unit is referred to as "end-to-edge." 
A connection between two Ravlin Soft clients is referred to as "end-to-end." Edge-to- 
edge and end-to-edge connections both require tunneling security modes; transport mode 
is not allowed. Consequently, ESP tunneling is the most common option for IPsec security 
associations (SAs). 
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The following examples show a variety of Ravlin connectivity applications, including 
Ravlin units serving as routers (Examples 1 and 2), Ravlin units serving as bridges 
(Example 3), and a Ravlin installed in parallel with a NAT firewall (Example 4). All exist in a 
hypothetical company's campus-wide network. 

When you connect and configure Ravlin units in a network, always remember that routing 
and bridging operate separately from any security functions in the devices. Once you 
insert a Ravlin unit into a network, you must properly define the routing table in order to 
restore normal network traffic. The key requirement for any Ravlin unit's routing table is a 
defined default route. A default route specifies the router interface port to which another 
device automatically forwards packets as the last resort. All other routes in the Ravlin 
unit's routing table are for networks that are unreachable through the default route. 

Refer to the illustration on the next page to see how all the examples might fit together in 
the larger network. 
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Connectivity Scenario 1 : Ravlins as Routers 



In this example, two Ravlin units protect departmental networks. (Refer to the following 
illustration.) One Ravlin unit protects a Marketing subnet, and another Ravlin protects a 
Sales subnet. 



Each operates as a router. Both reside within the Building 1 network (network IP 
172. 16.32). The Human Resources department resides behind a non-Ravlin router. The 
network contains several subnets, each routed using either the Ravlin units or basic 
routers into 254-node (28 - 2) subnets. 

Note: The subnets are not Class C because their network number is still 172. x.x. Hence the 
suffixes /21 and /24, which indicate the size of the subnets, by the number of consecutive 
l's in the subnet mask. The larger Building 1 network, of which the sample departments are 
a part, has a mask of 21 bits, denoting a subnet of 2046 nodes (21 1 - 2). Another dedicated 
router serves as gateway to the Human Resources department. 

Three departments reside in Building 1: Sales and Marketing behind Ravlin units, and a 
third department behind another router. The network address between the two Ravlin 
units is 172.16.32. 

Every Ravlin in the network has one default route, which rests off of each Ravlin unit's 
Remote interface. Since each Ravlin unit's Remote interfaces connect to the 172. 16.32 
network, their default route is the Building 1 router's local gateway IP of 172.16.32.1, 
because that is where they both directly connect. No specific network address or Network 
Mask are required for the default route. Each network that cannot be reached through the 
default route must be accounted for in the routing table. The following tables show the 
routing configuration for each Building 1 department. 

The following table shows the routing configuration for each Building 1 department. 
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Local 

Interface IP 
Address 


Remote Interface 
IP Address 


Ravlin Unit 


Sales 


172.16.40.1/24 


172.16.32.4/21 


Marketing 


172.16.42.1/24 


172.16.32.2/21 


Router (non-Ravlin) 


Human 
Resources 


172.16.41.1/24 
(inside) 


172.16.32.3/21 
(outside) 



Note that the address spaces shown are private addresses. Since Ravlin units operate as 
simple routers, it's possible to use public Internet IP addresses on one interface and 
private IP addresses on the other. 

Since the Ravlin units were installed in a pre-existing network, it's important to construct 
the devices' routing tables so the protected networks behind the Ravlin can communicate 
to the following. 

• The default route 

• Any networks that cannot be contacted through the default route 

For the network protected by Marketing's Ravlin, the networks that cannot be contacted 
through the default route are: 

• 172.16.41.0/24 

• 172.16.42.0/24 

For the network protected by Sales's Ravlin, the networks that cannot be contacted 
through the default route are: 

• 172.16.40.0/24 

• 172.16.41.0/24 

For each Ravlin unit, the networks consist of 254 nodes based on their masks. In a Class B 
network such as 172.16, you mask 24 bits of the address to derive a 256-node subnet, 
minus the normal two nodes for network infrastructure (28 - 2). For this reason, the 
networks are denoted in addresses such as 172.16.42.1/24. Their masks are thus 
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255.255.255.0. Knowing this, you can now add them to the routing tables for each Ravlin. 
Two more entries are necessary for each routing table. 
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The following two figures show the entries necessary to complete the routing table for the 
Marketing Ravlin unit. 
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The following figure shows the full Marketing routing table from within Ravlin Node Manager. 
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The table entries match up with the other networks within Building #1, none of which are 
reachable through the default route. Any other networks that the protected network needs 
to communicate with should also be represented in the routing table. 

Note Use caution when entering the network address and gateway values. 

Diagram the network in question and account for all relevant network and 
gateway IP addresses before building the routing table. If you do so the 
process will only need to be done once. 



Connectivity Scenario 2: Illustrating Default Routes 

In this example, one Ravlin unit resides in front of the Engineering department in Building 
4, while another resides in front of the Sales group in Building 1 (similar to Scenario 1 
above). Both networks must communicate after the units have been installed, 
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independently of any security settings already in place. (Refer to the following 
illustration.) 
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In both Engineering and Sales, the other Ravlin is reachable through the default route. 
Both units have different default routes, because each is connected to a different router in 
each building: 
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The subnet mask and Network IP addresses are both set to all zeros, as in the previous 
example. This is only done for the default route. 

If the only requirement is to ensure proper communication between the two networks 
protected by Ravlin units, the default routes are sufficient for each unit's routing table. For 
the Engineering department, the sample routing table below contains the default route to 
the Building 4 router, and routes to other departments in the same building, such as the 
Customer Service network at network address 172.16.54.. 
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The Sales Ravlin has a similar table. 

Networks in other buildings are reachable through the default route, assuming they're not 
protected by other Ravlin units. Consequently, you do not need to add these networks to 
the Ravlin units' routing tables. 

The only major difference between this example and the previous one is that each Ravlin 
is reachable through several hops, both of which begin through the default route. The 
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only hop that needs to be accounted for is the default route or "next hop" for each Ravlin, 
because the other routers properly forward the packets. 



Connectivity Scenario 3: Ravlins as Bridges 

A common Ravlin application is bridging between the network router and the network. 
Bridging occurs when both Ravlin interfaces have the same network number. (To 
determine this, perform a bitwise AND operation between the IP address by the subnet 
mask for each interface. If both interfaces yield the same result, the device is in Bridge 
mode.) 

The IP addresses for both Ravlin interfaces are on the same network. This was not true in 
Scenarios 1 and 2. 
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The goal in this example is to set up the routing tables for each Ravlin unit so that 
Buildings 2 and 3 can communicate with one another. Though both devices are in Bridge 
mode, routing tables are still necessary. For both Ravlin units, the routing table consists 
of a single entry, the default route, which is the router interface directly connected to the 
Remote interface of each Ravlin unit. 

Here, the default route or Next Hop for the Building 2 Ravlin is 172. 16.24. 1, and the default 
route for the Building 3 Ravlin is 172.16.16.1. This is sufficient to allow both networks to 
exchange traffic. 



Connectivity Scenario 4: Single-Interface Configurations 

This section describes how to configure Ravlin units into an increasingly popular setup 
called Single -Interface Configuration. 
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The Single -Interface configuration uses only one of the Ravlin unit's network interfaces, 
and the unit connects with the protected network much as a single host would. The figure 
below illustrates a basic configuration scenario with sample private IP spaces. 



192.168.2.10 




R = Remote Interface 

• — - — = Unencrypted Data 
= Encrypted Data 



hi., t 



172.16.4.25 



This is also a solution for protecting nodes and networks that reside behind a NAT- or 
Proxy -based firewall. 

For each network shown in the figure above, the Ravlin unit is connected using the 
Remote interface, while the Local interface remains unconnected. Each host on the 
protected network sends its traffic to the Ravlin unit, which in turn encrypts the packets, 
sends them back out the remote interface, and through the router gateway to the Ravlin 
on the other end of the SA. 

There are several key points to understand for this configuration. 

• The Ravlin units operate in router mode, and the disconnected Local interface 
has a "fictional" network address. 

In the diagram above, both Ravlin units are set up in Single -interface 
configuration. The Remote interface is connected to the network and the other 
interface has no connection. Both interfaces have differing network addresses, 
ensuring that the device is in router mode. 

• For firmware versions 3.300 and below, only Pre -Shared Keys can be used. DSS 
is unavailable in Single -Interface mode. 
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• Host setup can work in either of two ways: use the Ravlin unit's Remote interface 
as the default gateway for each system, or modify the routing table for each host. 
Both methods are described below. 

• The Ravlin unit's routing table must provide the local router as the Next Hop. 

In Single -interface setups, the Ravlin unit does not operate in-line as a bridge. The device 
does not physically reside between the protected network and the router, and does not 
operate in parallel with the firewall. 

Significant benefits arise from this approach: 

• Using a single interface makes it easier to deploy Ravlin units on an existing 
network without disrupting the existing infrastructure. 

• Individual hosts can make use of security while others do not. This facilitates 
testing and initial rollouts. (A disadvantage of this approach is that many clients 
may need individual configuration.) 

• You can deploy single -Interface Ravlin units in the outer ring or "DMZ" of the 
network, alongside Web servers, Proxy Servers, firewalls, and so on. 



Configuring Single-Interface 

The following steps show how to deploy Ravlin units in the single -interface 
configuration. 

1. Connect the Ravlin unit to the network through the Remote interface. Locate it in the 
same way you would locate a normal host computer. 

2. Create a policy data entry for the Ravlin unit in Ravlin Node Manager with the 
following characteristics: 

A. The local network address for the Remote interface, and a "fake" network 
address for the Local interface. 

B. Set the Ravlin unit's routing table to provide the router interface as the Next Hop. 

C. Use IPsec SA settings only. 

D. Add the proper values for the network tables. For example, in the diagram above, 
for the Ravlin in Network X the Local network entry should be set to 172. 16.4.0 
and the Remote network entry should be set to 192.168.2.0. 

3. Set up each host to use the Ravlin device in one of the following ways: 

A. Open a DOS window on each client computer and use the ROUTE ADD 
command to add a route to each client's routing table. You specify the 
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destination network, use the keyword MASK with the subnet mask value, and 
then the gateway value (the Ravlin unit's IP address), as shown in an example: 

Route Add 192.168.2.0 Mask 255.255.255.0 172.16.4.25 -p 

The -P command option makes the route persistent, which means that the route 
is committed to the routing table even after a reboot. 

The new route will appear in the table when you type a ROUTE PRINT command 
(as an example): 

Network Address Netmask Gateway Address Interface 

192.168.2.0 255.255.255.0 172.16.4.25 172.16.4.66 

The Network Address is that of Network Y, which the clients in network X want 
to reach. The Gateway Address is that of the Ravlin unit's Remote interface. The 
client's Interface value is simply the network card's IP address for the client 
computer. (This approach provides better performance but requires more work.) 

B. Open TCP/IP Properties in each host and set their Gateway value to the IP of the 
Ravlin unit's remote interface. This points the host's default gateway to the 
Ravlin unit's remote interface address. 

If you use this technique, you must add a Bypass entry PDE (Non-VPN Bypass 
Bi-Directional or Non-VPN Bypass Outbound Only) in Ravlin Node Manager to 
pass other network traffic in the clear. 

The single -interface configuration is relatively straightforward. It is an ideal way to 
experiment with IPsec encryption and security, and a basic connection to the network is 
all that is required. The administrator also can choose as few or as many clients as they 
want to work with the Ravlin device. In larger subnets, this can prove to be a significant 
amount of work since each client must be modified. 
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Connectivity Scenario 5: Ravlin with a Firewall 

Ravlin units allow the use of encryption in tandem with firewall functions. Encryption 
operations can be done in two places with a firewall: 

• in parallel 

• in front - on the "outside" port of the firewall 

You can place Ravlin units in parallel with firewalls or in front of them. The preferred 
configuration is parallel, as shown in the next figure. The addressing scheme must reflect 
the addressing performed on the firewall. 

This parallel arrangement is recommended because of the way in which firewalls operate. 
If you place a Ravlin unit on the "inside" of the firewall (the LAN side) for use with other 
remote Ravlin units, ISAKMP exchanges do not work and a security association is 
impossible. This is due to the nature of IPsec mechanisms, and how they can conflict with 
firewall security functions. In the following figure, the Ravlin unit resides in parallel with 
the firewall using a pair of hubs. Note that the Ravlin interfaces are set to network 
addresses mirroring those on the firewall. 




Firewall 
(HAT) 

Other firewall types operate differently. If the firewall is a packet-filtering type, the Ravlin 
units can reside anywhere - in front, in parallel, or behind the firewall. (In this case, the 
firewall is NAT.) 

Note: For the Ravlin unit in the network depicted by this example, the default 
route is 172.16.40.1. 

Conversely, when residing 'in front' of the firewall, the Ravlin unit can function as a bridge 
or as a router between the primary router and the firewall. The bridging application is 
probably more practical. 
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APPENDIX A: THEORY OF OPERATION 



Network administrators use RedCreek products to protect information transmitted over 
private and public networks, and to control access to corporate resources. RedCreek's 
solutions are based on CryptoCore™ , a revolutionary architecture that assures 
unparalleled transmission speed, transparent authentication, and network scalability in a 
networking environment. 



Networking 

In a networking environment, information exchange and communication occurs between 
multiple users connected to each other in some fashion. The most common kinds of 
interconnected systems include Local Area Networks (LANs) and Wide Area Networks 
(WANs). A LAN is a series of computers that share and exchange data with each other, 
usually at the same physical site. Computers in a WAN share and exchange their data 
over communication lines, as with the Internet. 

This section introduces the network elements that are important to understand when you 
implement solutions with RedCreek's Ravlin product family. 



Data Terminal Equipment 



The devices used directly by end users in a networking environment are known 
collectively as Data Terminal Equipment (DTE). Examples include client and server PCs, 
workstations, and dumb terminals (network computers). Such devices are often referred to 
as nodes or hosts. 



Data Terminal Equipment {DTE) 

□ 




□—[ 



The network uniquely identifies each node by its IP address. The information exchanged 
between nodes comes in IP packets, or datagrams (described below). These packets are 
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discreet packages of information, each of which has an IP header. The header contains, 
among other things, an IP address that identifies the intended destination of the IP packet. 



IP Packets 

An IP packet, or datagram, is made up of a data segment (known as a payload) combined 
with network control information and an IP header for routing the packet to the proper 
network node. 



Network 






Control 


IP Header 


Data Payload 


Information 







The network control section contains statistics about the packet itself, such as total 
length and source address. The IP header section contains the source and destination IP 
addresses, protocol processing flags, the IP version number, and other information. 



Routers 

Routers are devices that decide where IP packets go in a networking system. Typically, 
routers determine the "next Hop" of IP packets and which network interface the routes 
through to reach its destination. 




□ 



A router decides where an IP packet goes by consulting entries in routing tables . A router 
can consult its own routing table, or use specifications from the routing table of another 
computer. 
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Cryptography 

Cryptography is a branch of complex mathematics and engineering devoted to protecting 
information from unwanted access. In the context of computer networking, cryptography 
consists of encryption, authentication, and authorization. 

Encryption is the transformation of a data stream into a form unreadable by any but 
intended parties. Authentication is the process of identifying other parties, and 
confirming that exchanged information is not altered. Together, encryption and 
authentication protect data passing over public or private communication lines from 
hackers, competitors, and disgruntled employees. For data communications passing over 
networks, this combination of encryption and authentication is often referred to as a 
secure virtual private network (or VPN). Authorization determines what services, actions, 
and privileges are allowed to each party. 

Encryption Algorithms 

Most computer software and hardware devices that encrypt data streams use generally - 
recognized encryption algorithms . Ravlin products use the following standard algorithms: 

• Data Encryption Standard (DES) 

The DES encryption algorithm was developed by IBM in 1971, enhanced by NSA 
and NIST in the late 1970s, and adopted by ABA in 1980. 

• Triple DES 

The Triple DES encryption algorithm performs a triple -encryption operation on 
plaintext data and yields a more secure result by the following steps: 

1. Apply the encryption algorithm to the data with a key, producing cyphertext . 

2. Apply the decryption algorithm to the data with another key. Because it is a 
different key than the one used to encrypt in the first step, this produces 
more cyphertext. 

3. Apply the encryption algorithm to the data again, using a third key. 
Triple DES also may use a 2-key system. 

The encrypted data stream produced by 168-bit Triple DES is generally 
considered to be more random (hence safer) because the key is changed at each 
step of the process. 
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Generating a Security Association 

Before two parties exchange encrypted information, they must initiate a relationship 
known as a security association (or SA). During an SA, each party uses a common key 
(known as a session key) to decrypt the encrypted messages sent by the other party. 



Bill 




Bill's Raw tin 
unit using the 
session key 




Encrypted: 
Decrypted: 



Susan 



O - n 



Susan's Ravlin 
unit using the 
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Before an SA can take place, each party must undergo authentication to be sure that 
neither party is an impostor. Then the units must mutually generate an identical session 
key, which they use to decrypt each others' messages. To do this, the Ravlin units use a 
protocol called Internet Security Association and Key Management Protocol (ISAKMP), a 
standard developed by the Internet Engineering Task Force (IETF) as part of the Internet 
Protocol Security (IPsec) suite of protocol standards. 



Public and Private Keys 

The authentication process consists primarily of key exchange. A key is a numerical value 
that, according to a protocol used by both parties, allows the receiving party to decrypt 
encrypted messages. After a successful key exchange, the system sets up a security 
association, which permits secure (encrypted) communication between the two parties. 

Ravlin units use asymmetrical key exchange, in which keys are divided into key pairs. 
Each key pair consists of a public key and a private key. The private key is used to 
encrypt messages, and the public key is used to decrypt messages. As its name implies, a 
public key is not necessarily a secret; it is analogous to a telephone number, which any 
number of people might know. By contrast, the private key is analogous to a PIN number 
for an ATM account; it is a secret known only by the unit to which it belongs. 

Here is an example of asymmetrical key exchange. Assume Bill wants to send an encrypted 
message to Susan, as shown in the following diagram: 
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Because Bill's Ravlin unit is initiating the exchange, Bill's unit is the source peer and 
Susan's is the receiving peer. The source peer uses Bill's private key to encrypt the 
message, while the receiving peer uses Bill's public key to decrypt the message. 



Digital Signatures and Digital Certificates 



Because a public key is not a secret key, a way is needed to prevent an impostor from 
using the key to initiate a fraudulent exchange or send an altered message. ISAKMP 
products solve this problem using digital certificates and digital signatures. 

To authenticate each peer to the other, ISAKMP exchanges two packets, each containing 
a X.509v3 digital certificate. 
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During ISAKMP, a packet containing an X.509v3 digital certificate goes from the source 
peer (Bill's unit) to the receiving peer (Susan's unit). This certificate contains the source 
peer's public key plus other information, and is signed by the issuing Certificate Authority 
(CA), which vouches for the identity specified in the certificate. The source peer signs the 
packet using the source peer's private key (which corresponds to the public key in the 
certificate). 
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When the X.509v3 certificate arrives at the receiving peer, the peer authenticates the CA 
signature using the CA public key, extracts the source peer's public key from the 
certificate, and uses it to validate the peer signature. If validation succeeds, Susan's unit 
knows that Bill's unit is genuine. 

In the next phase of ISAKMP, a packet containing another X.509 v3 digital certificate goes 
from the receiving peer (Susan's unit) to the source peer (Bill's unit). The X.509v3 digital 
certificate (also signed by the issuing CA) contains the receiving peer's public key, plus 
other information. The receiving peer signs the packet using the receiving peer's private 
key (which corresponds to the public key in the certificate). 



Generating a Session Key 

To decrypt each others' messages, the security devices must generate the session key, an 
identical value shared in common between the units. Each unit uses this key to decrypt 
encrypted messages sent by the other unit. The units generate the session key using an 
algorithm known as Diffie-Hellman. 







Packet 




Susan's 
Public Value 


1 




Diffie- 
Hellman 
Algorithm 


Other 
Information 





Session 
Key- 



Bill's Private 
Value 




Bill's Unit 



Packet 



Bill's Public 
Value 



Other 

Information 



1 



Diffie- 




Hellman 




Algorithm 




T 1 



Susan' 3 St&siott 
Private Value Key 




Susan's Unit 



The Diffie-Hellman algorithm generates the session key on each device using each unit's 
unique private value, plus the public values derived during ISAKMP. For example, Diffie- 
Hellman generates the session key on Bill's unit using Susan's public values and Bill's 
private value. The Diffie-Hellman algorithm generates an identical session key on Susan's 
unit using Bill's public values and Susan's private value. 
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Once this key is generated, the two units can use it to decrypt each other's encrypted 
messages. The security association is complete. 



Security Associations and Policy Data Entries 

A Ravlin unit can establish and run multiple security associations (SAs) simultaneously, 
thus allowing secure traffic between multiple locations. In addition, each defined SA can 
have different characteristics. For example, one SA might use the 56-bit DES encryption 
algorithm, while another SA might use the 168-bit Triple DES algorithm. 

To design a security association, the network administrator uses the Ravlin Node 
Manager to create a policy data entry. 
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Each policy data entry contains a set of specifications that define the properties and 
behavior of an SA. The Ravlin unit defines each SA according to one such policy data 
entry. 
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Secure Virtual Private Networks (VPNs) 

Network administrators use Ravlin units, Ravlin Soft clients, and the Ravlin Node 
Manager to establish secure virtual private networks (VPNs) over other networks, both 
private and public. Information passed across a VPN can be encrypted, ensuring privacy 
and confidentiality. 




In most cases, each individual Ravlin unit protects communications from one LAN to 
another LAN over a public or private network. The unit is typically installed between the 
LAN and the router for that LAN site. In the example shown above, LANs A and B are 
part of the secure VPN, while LAN C is not. Ravlin units protect communication (IP 
packets) passing between LAN A and LAN B, while communications from LAN A or LAN 
B to LAN C are unprotected (passed in the clear). 

The Ravlin units protecting LAN A and LAN B communicate via security associations 
(SAs). Each security association has its own configuration and characteristics, in keeping 
with the needs of the communicating parties. 
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APPENDIX C: IP SEC SECURITY MODES 



Security devices make significant changes to IP packets as the packets travel through the 
network. Among these changes is a special 32-bit value called the Security Parameter 
Index, inserted in each packet header. Ravlin units use the SPI as an index to look up the 
cryptographic key and the security services from a special table. 

Ravlin -based secure networks look up Security Associations (SAs) using three items: the 
SPI, the protocol (AH or ESP), and the packet's destination IP address. 

When secure networks transmit packets, the following sequence occurs: 

1. The receiving host uses the SPI to identify the correct SA. 

2. With the provided shared-secret key, the host applies the required cryptographic 
algorithm. 

If the security association uses Authentication Header (AH) in combination with ESP, 
authentication occurs first. The Ravlin unit places the ESP header inside the 
authentication portion of the packet and encrypts the data payload. If an intruder 
tampers with the encrypted data, the AH receiver detects it and discards the payload 
without notification. 



IPsec Protocol/Transform Implementation 

The following table lists the IPsec modes supported by version 3.0. 





Cipher Algorithm 
(DES-56; 
Triple DES) 


Authentication 
(None, SHA-1, 
MD5) 


Anti -Replay 

Service 
(winsize32) 


Clear Text 


ESP Tunnel 


Default CBC 


Selectable 


Selectable 


Selectable 


ESP Transport 


Default CBC 


Selectable 


Selectable 


N/A 


AH Transport 


N/A 


Selectable 


Selectable 


Default 


AH Tunnel 


N/A 


Selectable 


Selectable 


Default 



ESP Tunnel Versus ESP Transport 

Encapsulating Security Payload (ESP) tunneling encrypts the payload and the IP address 
(IP1 in the diagram below), thus protecting the data and the routing information from 
intruders. The Ravlin unit attaches an ESP header to each packet in the data stream, along 
with the IP address of the destination Ravlin unit (IP2). The Ravlin unit appends two 
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trailer sections to the end of the packet, one containing ESP information, and the other 
containing authentication data. 
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ESP Tunnel mode's primary advantage is privacy through encryption and the protection 
of routing information. The primary disadvantage is lowered network performance, due to 
added packet processing overhead. 

ESP Transport mode differs from Tunnel mode by encrypting only the payload and ESP 
trailer. The source and destination IP addresses are not encrypted, and the new ESP 
source and destination IP addresses are not attached to the front end of the packet. 
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ESP Transport mode improves performance by eliminating tunneling overhead. However, 
although packet headers are authenticated, eavesdroppers can view them. 



AH Tunnel Versus AH Transport 

In AH mode, IPsec standards mandate using the MD5 hash algorithm. A secret key is 
attached to the beginning of each packet, and the receiving host uses the key to compute 
the MD5 hash. RedCreek also supports the SHA-1 hash (Secure Hash Algorithm, created 
by the NSA). 
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AH Tunnel mode encapsulates the datagram, but does not encrypt the datagram's 
payload or IP address (IP1 in the diagram below). The packet gets an AH header 
containing authentication information, and new source and destination IP addresses are 
appended to the front. Unlike ESP, no trailer sections are generated. Compared to AH 
Transport mode, AH tunneling tends to add overhead. 
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AH Transport mode inserts an AH header, containing authentication information, 
between the IP address and the payload. As with AH Tunnel mode, neither the data nor 
the header is encrypted. Transport mode provides better performance, but uses the 
lightest security footprint of the IPsec standard modes. 

Anti-Replay Service 

The anti-replay feature prevents intruders from breaking into the system by recording a 
key and data exchange and replaying it. (In the table above, "winsize 32" refers to the 
number of frames the anti-replay window maintains.) Current IPsec standards provide 
basic anti-replay capabilities; therefore, Ravlin Soft provides an anti-replay capability, 
configurable through its Wizard -based configuration GUI. 

Key Management 

The following changes apply to key management with version 3.0. 

Input of Certificates with Key Pairs for Ravlin Soft 

Each remote user on an independent client machine can import a certificate containing a 
key pair for that client. Each certificate resides in an encrypted file on a disk, and the user 
can import the file directly from the disk. For more information on client certificate 
management, please see the Ravlin Soft User's Guide. 
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Provision of Unique Certification 

RedCreek grants unique certification for selected OEM companies, providing them with 
their own public and private key pairs. 

Manual Keying 

Administrators may add private keys to a Ravlin Soft client. These keys are private shared 
keys used for encryption and keyed authentication. For more information on client key 
use, please see the Ravlin Soft User's Guide. 



Key Management Modes 

The following table shows the key management modes available in version 3.0. 





Cipher Algorithm 
(DES-56; 
Triple DES) 


Authentication 
(None, SHA-1, 
MD5) 


Anti -Replay 

Service 
(winsize32) 


Clear Text 
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Key 


Depends on mode 
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ISAKMP/ 
Oakley 


Depends on mode 
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Selectable 


Depends on mode 
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APPENDIX C: COMMON SYSLOG MESSAGES 



The following are descriptions of Syslog messages most often encountered in the 
operation of VPNs. 



"Signature Verification failure" 



Meaning 

An invalid signature was detected during ISAKMP authentication process, thus 
preventing authentication and establishment of a security association (SA). 

Action to Take 



A workaround is to design the policy data entry to use pre -shared key. 

Because the Ravlin unit might have an incorrect signature in its firmware, or the firmware 
itself might be corrupted, it might be necessary to call RedCreek's Technical Support team 
for assistance. 



"Received ICMP Destination unreachable " 



Meaning 

The ISAKMP request is blocked from reaching the responder, or routed to the responder 
incorrectly. 

Action to Take 



Examine the access list on the responder and on the access router. Open UDP port 500 
and protocol type 50. 



"RADIUS Authentication failed. Client: " 



Meaning 

The user entered the RADIUS user name or password incorrectly, causing a RADIUS 
authentication failure. 



Action to Take 
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Check the RADIUS server for the correct user name and password. Check the RADIUS 
system's log to verify that the RADIUS server received the message. 



"ISAKMP responder. No PDE defined for Client or 
server. Peer " 

The IP address specified in the Peer Info setting (when the type specified is VPN 
Gateway) is incorrect. 
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Action to Take 



Use the Ravlin Node Manager on the peer Ravlin unit to correct the IP address. 

"Quick Mode processing failed" 

Meaning 

The ISAKMP Phase II attempt failed. For example, there could be a mismatch between 
IPsec proposals in the initiator and the responder. 

Action to Take 

Verify that the IPsec proposals match. 
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"ISAKMP Phase I proposal is not acceptable. Peer: 
1 1 



Meaning 

There is a mismatch between ISAKMP proposals in the initiator and the responder. 

Action to Take 

Verify that the ISAKMP SA proposals match. 

"ISAKMP Phase II proposal is not acceptable. Peer: 
Meaning 

There is a mismatch between IPsec proposals in the initiator and the responder. 

Action to Take 

Verify that the IPsec SA proposals match. 

"Received ISAKMP initialization request. Peer: " 
Meaning 

This is confirmation that the responder received the ISAKMP initialization packet. 

Action to Take 

None. This message is confirmation of successful operation. 

"Phase I complete. " 

Meaning 

ISAKMP authentication and proposal ID agreement was successful. 

Action to Take 

None. This message is confirmation of successful operation. 
MN-00038 C 117 



"Start ISAKMP initialization. Peer: " 
Meaning 

The ISAKMP authentication process has begun. 

Action to Take 

None. This message is confirmation of successful operation. 

"ISAKMP failed. Peer: " 
Meaning 

Any of several problems may have occurred during Phase I (ISAKMP) authentication 
process, including a mismatch between IPsec proposals or a routing problem. 

Action to Take 

Verify IPsec and ISAKMP settings, and check connections to the router. 

"No SA exists. Next payload is not SA, and 
exchange is not MM. ISAKMP aborted" 

Meaning 

Received an ISAKMP packet, for which there is no existing ISAKMP security association 
(SA). In addition, the packet is not for initiating an ISAKMP session. 

Action to Take 

Wait for the system to retry automatically. 

"Invalid payload. Possible overrun attack! " 

Meaning 

There is incorrect information within the payload for building the SA. 

Action to Take 
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Check the configuration of the policy data entries to confirm that the ISAKMP, Proposals, 
and network table settings match, and retry. 

Another common cause of this error is a mismatch between defined pre -shared keys in the 
ISAKMP entries of the security devices. 

"Main Mode processing failed " 
Meaning 

ISAKMP failed in Phase I. 

Action to Take 

Verify configuration of the ISAKMP proposals for both sides. 

"ISAKMP SA condition reported dead." 
Meaning 

General ISAKMP session failure. 

Action to Take 

Check the access list on the router or firewall. Open UDP port 500, protocol type 50. Look 
for other Syslog messages for other information as to the cause of failure. 

"ISAKMP timeout. Retransmission failed. Peer: " 
Meaning 

General ISAKMP session failure. 

Action to Take 

Check the access list on the router or firewall. Open UDP port 500, protocol type 50. Look 
for other Syslog messages for other information as to the cause of failure. 
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"Source address failed filter." 



Meaning 



The source address contained in an IP packet is not defined correctly within the Network 
Tables I Local Networks setting. 
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Action to Take 

Specify the network IP address in the Local Network entry. 



"Destination address failed filter." 

Meaning 

The destination address contained in an IP packet is not defined correctly within the 
Network Tables I Peer Networks setting. 
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Action to Take 

Specify the network IP address in the Peer Network entry. 



"Dropped an unsupported management/non-SA 
data frame from " 

Meaning 

A non-RedCreek SNMP application attempted to communicate with the Ravlin unit. 

Action to Take 

None. This message is a warning only. 



"Source or destination address failed filter." 

Meaning 

In the policy data entry, the network table settings do not match on both sides of the 
exchange, or the Ravlin unit received through a tunnel a packet for which there is no 
matching network table setting. 

Action to Take 
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Make sure that all network table settings are correct in the policy data entries. In addition, 
refer to the description of the "Source address fail filter" and "Destination address fail 
filter" error messages. 



"ISAKMP race condition found. Peer: " 
Meaning 

Both sides of the ISAKMP transaction are trying to initiate ISAKMP simultaneously. 

Action to Take 

Terminate traffic from either side of the transaction. 

"RADIUS Authentication Request Sent" 
Meaning 

A request for RADIUS authentication has been sent. 

Action to Take 

None. This message is confirmation of successful operation. 

"RADIUS Authentication Initial Challenge Received" 
Meaning 

The Ravlin Soft client has received a RADIUS challenge from the RADIUS server. 

Action to Take 

None. This message is confirmation of successful operation. 

"RADIUS Authentication Challenge Received" 
Meaning 

The Ravlin Soft user received a RADIUS challenge from the RADIUS server, input the 
user name and password, and sent the input values back to the server. 
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Action to Take 

None. This message is confirmation of successful operation. 

"RADIUS Authentication Successful" 
Meaning 

The entire process of RADIUS authentication was successful. Authentication complete. 

Action to Take 

None. This message is confirmation of successful operation. 

"RADIUS Authentication Failed" 
Meaning 

The process of RADIUS authentication was unsuccessful. Authentication not complete. 

Action to Take 

Make sure the user provided a valid user ID and password. 

"RADIUS Authentication Timed Out" 
Meaning 

The specified RADIUS timeout interval is exceeded. The RADIUS server is unreachable, 
or it is too slow to respond within the time interval. 

Action to Take 

Make sure the RADIUS server is up and running, and confirm that the Ravlin unit can 
reach the server. 

"RADIUS Initial Challenge Received while Request is 
pending" 

Meaning 

MN-00038 C 123 



While waiting for a response from a RADIUS server, the Ravlin unit received another 
RADIUS packet from the Ravlin Soft client. 

Action to Take 

None. This message is a warning only. 

"RADIUS Authentication Failed (User Cancelled)" 
Meaning 

The Ravlin Soft user terminated the RADIUS authentication challenge (by pressing the 
<Esc> key or the Cancel button. 

Action to Take 

None. This message is confirmation of successful authentication cancellation. 

"IO_GET_ACTIVE_BINDING_ADDR ioctl failed" 
Meaning 

Ravlin Soft is not able to find an active adapter, or the active adapter does not have IP 
addresses assigned. 

Action to Take 

Make sure there is an active adapter on the host machine, and confirm that it has and IP 
address and gateway assigned to it. 



124 



MN-00038 C 



GLOSSARY 



This glossary defines terms that appear in RedCreek technical documentation. 

Address Resolution Protocol (ARP) 

A protocol used to obtain the physical addresses (such as MAC addresses) of hardware 
units in a network environment. A host obtains such a physical address by broadcasting 
an ARP request, which contains the IP address of the target hardware unit. If the request 
finds a unit with that IP address, the unit replies with its physical hardware address. 

AH 

See Authentication Header. 

API 

See application programmer interface. 

application programmer interface (API) 

A set of predefined resources such as subroutines, protocols, and tools for building 
software applications. An API spares the software developer the task of developing such 
resources from scratch, thus speeding the development process. 

See also: LAN Services API. 

application gateway firewall 

A firewall that applies security mechanisms to specific applications, such as FTP and 
Telnet servers. Although effective, application gateway firewalls sometimes reduce 
performance through high overhead. 

application window 

The main window of an application, usually the first window to appear when the user 
invokes the application. For example, when the user invokes the Ravlin Node Manager 
(usually via the Start menu or a desktop icon) the Ravlin Node Manager application 
window appears. 

ARP 

See Address Resolution Protocol. 

asymmetrical key exchange 

A form of key exchange in which keys are divided into key pairs. Each key pair consists of 
a public key for encrypting messages and a private key for decrypting messages. A public 
key is not necessarily a secret, while the private key is a secret known only by the unit to 
which it belongs. 

Authentication Header (AH) 
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A form of IP packet authentication that provides integrity and authentication without 
confidentiality. AH ensures proper authentication by encapsulating the entire IP packet 
and attaching an authentication header to the packet. Because neither the packet's 
payload nor its IP address is encrypted, AH mode is widely acceptable even where the 
export, import, or use of encryption is regulated or prohibited. 

authentication 

The proces s of identifying each party before performing a secure data exchange, and 
confirming that no exchanged information is altered by unauthorized parties. RedCreek 
Ravlin units, and Ravlin Soft clients perform authentication using X.509 v3 digital 
certificates, the Diffie-Hellman algorithm, and HMAC-supported hashing functions. 

authorization 

The process of determining what services, actions, and privileges are allowed to each 
party in a secure information exchange. 

CA 

See certificate authority. 

CA signature 

A digital code that vouches for the authenticity of a digital certificate. The CA signature is 
provided by the certificate authority (CA) that issued the certificate. 

certificate authority (CA) 

A trusted third -party organization that issues unique digital certificates to individuals or 
organizations. The CA signs each digital certificate to vouch for the identity of the 
individual or organization. 

CHAP 

See Challenge Handshake Authentication Protocol 

Challenge Handshake Authentication Protocol (CHAP) 

An authentication method in which the remote access or network server sends the client a 
key for encrypting the user name and password. The encryption algorithm is usually 
MD5. 

circuit-level gateway firewall 

A firewall that applies security mechanisms at the time a TCP or UDP connection is 
established. From then on, packets can flow between the hosts without further checking. 

cleanup interval 

A setting in the Ravlin Node Manager that specifies how long a Ravlin unit waits before 
performing automatic internal cleanup. In general, the busier the network, the more often 
system cleanups should be performed. 
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community string 

A character string used to identify valid sources for SNMP requests, and to limit the 
scope of accessible information. Ravlin units use the community string like a password, 
allowing only a limited set of management stations to access its MIB. 

component (RedCreek term) 

A set of related configuration parameters for a Ravlin device. The Ravlin Node Manager 
displays components in the Item pane of a unit window, where the user can select a 
component and view or modify the parameters it contains. 

configuration 

The process of setting and modifying operating parameters, which determine how a 
system performs its tasks. Typically, the system reads the configuration parameters at 
startup from a configuration file. The Ravlin Node Manager is the primary tool for 
configuring Ravlin units. 

configuration file 

A file, usually consisting of ordinary text, that contains user-defined configuration 
settings. These settings determine how a system performs its tasks after startup. 

Contents pane 

A region in a unit window that displays configuration settings. The user displays settings 
in the Contents pane by selecting components in the Item window. 

cryptography 

A branch of comp lex mathematics and engineering devoted to protecting information from 
unwanted access. In the context of computer networking, cryptography consists of 
encryption, authentication, and authorization. 

cyphertext 

A stream of unreadable text produced by an encryption device or encryption software. 
Cyphertext is unreadable until it is decrypted. 

Data Encryption Standard (DES) 

An encryption standard developed by IBM in 1971, enhanced by NSA and NIST in the 
late 1970s, and adopted by ABA in 1980. 

datagram 

See IP packet. 

data terminal equipment (DTE) 

Devices used directly by end users in a networking environment. Examples of DTE include 
client and server PCs, workstations, and dumb terminals (network computers). In the 
context of network configuration and management, such devices are often referred to as 
nodes. 
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decryption 

The transformation of an encrypted data stream into a readable form. The decryption 
algorithms used by Ravlin Soft clients and Ravlin units conform to DES and Triple DES 
standards. 

DES 

See Data Encryption Standard. 

DHCP 

See Dynamic Host Configuration Protocol. 

Diffie-Hellman algorithm 

An algorithm that generates a session key for both parties during an attempt to establish a 
secure association. The algorithm uses each party's unique private value, plus public 
values derived during ISAKMP. 

digital certificate 

See X.509 v3 digital certificate. 

digital signature 

A digital code, attached to an electronically transmitted digital certificate, that uniquely 
identifies the party sending the certificate and guarantees the party's identity prior to a 
secure data exchange. 

DNS 

See Domain Name Service 

Domain Name Service (DNS) 

A service that translates domain names (such as www. this -domain-name.com) into IP 
addresses for the Internet. The DNS is itself somewhat like a network. For example, when a 
web browser submits a domain name to the Internet, a DNS server receives the name and 
attempts to translate it into the IP address of the target device. If the DNS server receives 
an unknown domain name, it passes the name to another DNS server. This process 
continues until all the servers are queried, or until the correct IP address is found. 

DTE 

See data terminal equipment. 

Dynamic Host Configuration Protocol (DHCP) 

A protocol for assigning dynamic IP addresses to devices on a network. Dynamic 
addressing allows a device to have a different IP address each time it connects to the 
network. Dynamic addressing lets a system's software keep track of IP addresses, instead 
of requiring an administrator to perform the task. 
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encryption 

The transformation of a data stream into a form unreadable by any but intended parties. 

encryption device 

A hardware device, such as a Ravlin unit, that encrypts IP packets exchanged through 
network communication channels. Ravlin units provide outbound encryption and inbound 
decryption from a gateway (usually a router) to another gateway over the network. These 
units can work at the link, network, or application layer, and network administrators can 
combine them with other network devices such as routers and firewalls. 

Encapsulating Security Payload (ESP) 

An operational mode in which a security device encrypts the entire IP packet, 
authenticates it, encapsulates it, and gives it a new IP header. When two such devices 
establish a security association in ESP mode, the communication link between the units is 
referred to as an ESP tunnel. Because ESP tunnel mode encapsulates and encrypts the 
original IP header along with the payload, intruders cannot capture routing information 
and use it to attack the system. Encapsulated tunneling also allows organizations to 
conserve IP address space and manage firewall resources more efficiently. 

ESP 

See Encapsulating Security Payload. 

Ethernet 

A widely -used local area network (LAN) protocol developed in 1976 by Xerox 
Corporation, Digital Equipment Corporation, and Intel Corporation. The Ethernet 
specification was the basis for the IEEE 802.3 standard. Ethernet runs on a bus or star 
topology, and uses the CSMA/CD access method to handle simultaneous demands. 
Standard Ethernet operates at 10 Mbit/sec, while Fast Ethernet operates at 100 Mbit/sec. 
The newest version, Gigabit Ethernet, can operate at 1000 Mbit/sec. 

firewall 

A hardware or software system that prevents unauthorized access to or from a private 
network. For example, a firewall might prevent unauthorized users from accessing private 
networks connected to the Internet. The firewall examines incoming or outgoing 
information, and blocks traffic that does not meet specified security criteria. 

Firewall techniques include packet filter, application gateway, circuit -level gateway, and 
proxy server. 

firmware 

Data or programs stored permanently in read-only memory (ROM) or flash memory. The 
firmware in Ravlin hardware devices is configurable with Ravlin Node Manager. 
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flash memory 

An erasable and reprogrammable EEPROM that can store and exchange memory block-by- 
block instead of byte-by-byte. Ravlin hardware devices store their firmware in flash 
memory so users can alter their configuration settings with the Ravlin Node Manager or 
replace one version of the firmware with another. 

gateway 

A hardware and software system that links two or more networks of different types. For 
example, gateways between different e-mail systems let users on each system exchange 
messages. 

hashing 

The process of deriving a number, known as a hash, from a string of text. A hash is 
usually substantially smaller than the text stream from which it originated. The hashing 
algorithm is designed to generate the hash with a very low probability that hashing a 
different text string might generate an identical hash value. 

Encryption devices use hashing to ensure that intruders have not modified transmitted 
messages. The sending device generates a hash of the message, encrypts the hash and 
the message itself, then transmits both to the receiving unit. The receiving device 
decrypts the message and the hash, then produces another hash from the decrypted 
message. If the two hashes are identical, it is very unlikely that an intruder modified the 
message in transit. 

HMAC 

See Hashing Message Authentication Codes 

Hashing Message Authentication Codes (HMAC) 

A message authentication mechanism that uses cryptographic hashing functions such as 
MD5 and SHA-1, in combination with a shared secret key. HMAC allows easy 
replacement of the underlying hashing function, as when security requirements change or 
when faster or more secure hashing functions become available. 

Intelligent I/O 

See I20. 
120 

A recently -developed I/O architecture that increases efficiency by eliminating certain I/O 
bottlenecks. 120 technology uses special I/O processors that perform interrupt handling, 
buffering, and data transfer, thus relieving the host processor of the overhead usually 
imposed by these operations. 

An I20 driver consists of an OS-specific module (OSM) that manages higher-level 
operations such as file access, and a hardware device module (HDM) that manages 
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communication with specific devices. Because the OSM and HDM are autonomous, they 
can perform their tasks independently without sending data over the I/O bus. 



IETF 

See Internet Engineering Task Force. 

Internet Engineering Task Force (IETF) 

An international standards organization consisting of network designers, operators, 
vendors, and researchers concerned with the evolution of Internet architecture. 

Internet Protocol Security (IPsec) 

A set of IETF protocols that support secure exchange of packets at the IP layer. IPsec 
supports two encryption modes, transport and tunnel. Transport mode encrypts only the 
data portion (payload) of each packet, leaving the header untouched, while Tunnel mode 
encrypts both the header and the payload. 

Internet Security Association Key Management Protocol 
(ISAKMP) 

A protocol developed by the Internet Engineering Task Force (IETF) as part of Internet 
Protocol Security (IPsec), for exchanging public keys, authenticating the senders, 
generating shared session keys, and establishing secure associations. 

IP address 

A 32-bit numeric value, expressed as four numbers separated by periods, that identifies a 
computer or device on a TCP/IP network. Such networks route messages according to the 
specified destination IP address. 

IP header 

The portion of an IP packet containing the destination IP address for the packet. In a 
networking environment, routers use the IP header to direct the packet to the proper 
network node. 

IP packet (datagram) 

A collection of useful information (known as a payload) combined with network control 
information and an IP header. Network routers use the IP header to direct the packet to the 
proper network node. 

IPsec 

See Internet Protocol Security. 

ISAKMP 

See Internet Security Association Key Management Protocol. 
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Item pane 

A region located at the left side of the Ravlin Node Manager application window. The 
Item pane displays components, which contain configuration settings for Ravlin units. 
When the user clicks a particular component in the Item pane, the information contained 
in that component appears in the Contents pane to the right. 

key 

A numerical value that allows communicating parties to encrypt or decrypt messages 
according to a protocol recognized by both parties. 

key exchange 

The process of exchanging numerical keys to protect each party in a secure data 
exchange. After a successful key exchange, the system sets up a secure association, 
which permits secure (encrypted) communication between the two parties. 

local area network (LAN) 

A series of computers that share and exchange data with each other, usually at the same 
physical site. (By contrast, computers in a WAN share and exchange their data over 
communication lines, as with the Internet.) 

Management Information Base (MIB) 

A database of objects that can be monitored by an SNMP-based network management 
system. Standardized MIB formats allow any SNMP tool to monitor any device defined by 
a MIB. 

MD5 

A 128-bit hashing function designed for optimization with microprocessor-based systems 
such as Intel. MD5 provides good security and speed with a fairly simple algorithm, but it 
is somewhat susceptible to brute-force cryptographic attacks. 

See also: Secure Hash Algorithm. 

menu bar 

A series of menus, usually arranged horizontally near the top of an application window. In 
most Windows applications, menu bars contain variations of standard menus such as File, 
Window, and Help, plus menus that apply to particular applications. 

MIB 

See Management Information Base. 

nodes 

Devices used directly by end users in a networking environment. Known collectively as 
Data Terminal Equipment (DTE), such devices include client and server PCs, workstations, 
and dumb terminals (network computers). 
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packet filter firewall 

A firewall that, according to well-defined rules, accepts or rejects IP packets entering or 
leaving an intranet. Although packet filtering is fairly effective and transparent to users, it 
is vulnerable to IP spoofing and is sometimes difficult to configure. 

public key 

A value used to encrypt messages. As its name implies, a public key is not necessarily a 
secret; it is analogous to a telephone number, which any number of people might know. 
By contrast, the private key is analogous to a PIN number for an ATM account; it is a 
secret known only by the unit to which it belongs. 

private key 

A value used to decrypt messages in a secure data exchange. Because the private key is a 
secret known only by the unit to which it belongs, it is analogous to a PIN number for an 
ATM account. By contrast, the public key is analogous to a telephone number, which any 
number of people might know. 

protocol 

A mutually -recognized format for transmitting data between two devices, usually in a 
networking environment. Protocols determine such issues as how to check errors, how to 
compress data, how to delimit messages, and how to confirm receipt of messages. 

proxy server firewall 

A firewall that intercepts all messages entering and leaving a network. The proxy server 
effectively hides the true network addresses. 

RADIUS 

See Remote Authentication Dial-In User Service. 

Remote Authentication Dial-In User Service (RADIUS) 

A protocol, developed by Livingston Enterprises and extended by Ascend 
Communications, that lets users exchange session authentication and configuration 
information between a Network Access Server (NAS) and an authentication server. 
Although RADIUS is not an official standard, a working group of the IETF maintains the 
RADIUS specification. 

Reduced Instruction Set Computer (RISC) Processor 

A type of microprocessor that recognizes a limited number of instructions. The 
advantages of RISC processors include greater speed and (because RISC processors need 
fewer transistors) lower design and manufacturing costs. 

RISC processor 

See Reduced Instruction Set Computer (RISC) Processor. 
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router 

A dedicated device that directs IP packets to destinations in a networking system, 
typically to networks or subnetworks. Routers are similar to bridges, but can perform other 
services such as filtering messages and directing them to other locations according to 
specified criteria. 

scalability (network) 

The ability of a hardware or software system to be adapted or modified for increased 
demands. For example, a network system is said to be scaleable if administrators can 
expand it from a few nodes to thousands of nodes without difficulty. 

security association 

A relationship between two security devices that allows the devices to exchange secured 
information. For example, after two Ravlin units form a security association, the units can 
send encrypted information to each other and decrypt each other's messages. 

secure VPN 

See virtual private network. 

security gateway 

A communications gateway between trusted hosts in a network and external, untrusted 
systems. A security gateway also provides security services for the trusted hosts when 
they communicate with these untrusted systems. 

Secure Hash Algorithm (SHA) 

A 160-bit hash function, mandated by the National Institute for Standards Technology 
(NIST), with security mechanisms similar to MD5. Because SHA generates a 160-bit hash 
(message digest) it is much safer from brute-force cryptographic attacks than MD5. 

Security ID 

A number that uniquely identifies a unit on a network. The Security ID is printed on the 
label affixed to the bottom of Ravlin units. 

session key 

An identical value shared in common between two units in a secure association. Each unit 
uses this key to decrypt encrypted messages sent by the other unit. Ravlin units generate 
the session key using an algorithm known as Diffie-Hellman. 

SHA 

See Secure Hash Algorithm. 

shared secret 

A key value shared in common between two units in a secure network. The shared secret 
confirms the identity of each unit to the other during ISAKMP. 
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Simple Network Management Protocol (SNMP) 

A relatively uncomplicated, application-layer protocol designed for the exchange of 
management information between network devices. SNMP-based applications can store 
data about themselves in Management Information Bases (MIBs) and return this 
information to SNMP-based requesters. 

SNMP 

See Simple Network Management Protocol. 

status bar 

A horizontal region, usually located at or near the bottom of an application window, that 
displays context-sensitive information. For example, the Ravlin Node Manager application 
window has a status bar that displays information on the current condition or status of 
the session. 

title bar 

A horizontal region, located at the top of a window or dialog box, that displays a 
descriptive name or title. 

tool bar 

A horizontal region, usually located beneath the menu bar in an application window, 
containing icons that allow the user to execute menu commands directly. The usual 
purpose of a tool bar is convenience and efficiency. 

Triple DES 

An encryption algorithm developed shortly after the development of DES, mostly in 
response to demands by the financial community. Triple DES uses a 168-bit key, so it 
provides stronger protection than DES. As its name implies, Triple DES modifies the data 
stream in three steps: 

1. Apply the encryption algorithm to the data with a key, producing cyphertext. 

2. Apply the decryption algorithm to the data with another key. 

Because it is a different key than the one used to encrypt in the first step, this 
produces more cyphertext. 

3. Apply the encryption algorithm to the data again, using a third key. 

The encrypted data stream produced by 168-bit Triple DES is more random (hence safer) 
because the key is changed at each step of the process. 

tunnel 

See Encapsulating Security Payload. 
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unit window 

A window in the Ravlin Node Manager that displays configuration parameters for a single 
Ravlin Soft client or Ravlin unit. A unit window consists of two sections, the Item pane 
and the Contents pane. The item pane displays components, which contain configuration 
settings for controlling Ravlin units. When you click a particular item in the Item pane, the 
information attached to that choice appears in the Contents pane on the right. 

virtual private network (VPN) 

A private network constructed over a public LAN or WAN. To the user, the VPN usually 
appears to be a true public network. A secure VPN provides encryption and other security 
mechanisms that allow only authorized users to access the VPN, and prevent intruders 
from intercepting or modifying the data. 

VPN 

See virtual private network. 

wide area network (WAN) 

A series of computers that share and exchange data over communication lines, as with the 
Internet. By contrast, computers in a LAN share and exchange data at the same physical 
site. 

X.509 v3 digital certificate 

A widely used standard for defining digital certificates. A digital certificate is a digitally- 
signed electronic document, obtained from a trusted certificate authority, that vouches for 
the identity and public key of a person or organization. Users can request digital 
certificates from certificate servers owned by public or private certificate issuers. The 
information contained in a X.509 v3 digital certificate consists of the public key, a name, 
an expiration date for the public key, the name of the certificate issuer, a serial number, and 
the digital signature of the certificate issuer. 
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Distinguished Name See DN 

DN 30, 33 

DTE 103 



Encapsulating Security Payload See ESP 

encapsulation 29 

encryption 16, 53, 105 

Encryption 3 

encryption algorithms 105 

ESP 16,24,27,29,40,41, 111 

ESP Transport 28 

ESP Transport mode 112 
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